[Bro-Dev] #354: Allow analyser to process partial HTTP connections.
sridhar basam
sri at basam.org
Wed Jan 19 08:40:44 PST 2011
On Wed, Jan 19, 2011 at 11:30 AM, Bro Tracker <bro at tracker.icir.org> wrote:
> #354: Allow analyser to process partial HTTP connections.
> ------------------------------+-----------------
> Reporter: sridhar.basam | Owner:
> Type: Feature Request | Status: new
> Priority: Normal | Milestone:
> Component: Bro | Version:
> Resolution: | Keywords:
> ------------------------------+-----------------
>
> Old description:
>
> > By default the HTTP analyser doesn't process packets where bro did not
> > see the initial handshake. I got a couple of 1 line patches from Vern to
> > fix it. Can we roll this into a future release?
> >
> > Sridhar
>
> New description:
>
> By default the HTTP analyser doesn't process packets where bro did not see
> the initial handshake. I got a couple of 1 line patches from Vern to fix
> it. Can we roll this into a future release?
>
> Sridhar
>
> --
>
> Comment (by seth):
>
> This is a fairly large change in semantics for how Bro currently functions
> and I'm curious what your motivation for this change is. Can you give an
> example of the conditions where this is causing a problem for you?
>
> --
> Ticket URL: <http://tracker.icir.org/bro/ticket/354#comment:1>
> Bro Tracker <http://tracker.icir.org/bro>
> Bro Issue Tracker
>
I have applications which use a persistant HTTP connections to talk to
upstream services. These connections live for a really long time,
thousands/tens of thousands of requests on a single tcp connection. I use
bro to analyse http request and replies for these applications. I need the
ability to run the analyser for these partial connections in the pcap file.
Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110119/7fdaaffa/attachment.html
More information about the bro-dev
mailing list