[Bro-Dev] #411: Non-binpac analyzer generates incorrect weird

Bro Tracker bro at tracker.icir.org
Mon Mar 14 09:47:27 PDT 2011

#411: Non-binpac analyzer generates incorrect weird
 Reporter:  seth     |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  Normal   |  Milestone:  Bro1.6
Component:  Bro      |    Version:
 Keywords:           |
 With the attached tracefile, the non-binpac analyzer raise a weird named
 unmatched_HTTP_reply when it shouldn't.  The tracefile has a request that
 uses "Expect: 100-continue" which should allow the web server to respond
 to tell the client if it's ok to send a request body to the avoid the
 situation of a client sending a lot of data only to be rejected because
 the request was bad or unallowed for some reason.  The second http reply
 is expected because it comes after the request body.  Here are the specs
 for the command for reference:

 I think the right response to this is to remove the weird from the core.
 If we still want to handle this situation, we can handle it from the
 appropriate bro script.  This should help trim down the number of invalid
 weird's a little bit since this is probably a fairly common occurrence.

Ticket URL: <http://tracker.icir.org/bro/ticket/411>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list