[Bro-Dev] #411: Non-binpac analyzer generates incorrect weird
Bro Tracker
bro at tracker.icir.org
Mon Mar 14 09:47:27 PDT 2011
#411: Non-binpac analyzer generates incorrect weird
---------------------+--------------------
Reporter: seth | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro1.6
Component: Bro | Version:
Keywords: |
---------------------+--------------------
With the attached tracefile, the non-binpac analyzer raise a weird named
unmatched_HTTP_reply when it shouldn't. The tracefile has a request that
uses "Expect: 100-continue" which should allow the web server to respond
to tell the client if it's ok to send a request body to the avoid the
situation of a client sending a lot of data only to be rejected because
the request was bad or unallowed for some reason. The second http reply
is expected because it comes after the request body. Here are the specs
for the command for reference:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec8.html#sec8.2.3
I think the right response to this is to remove the weird from the core.
If we still want to handle this situation, we can handle it from the
appropriate bro script. This should help trim down the number of invalid
weird's a little bit since this is probably a fairly common occurrence.
--
Ticket URL: <http://tracker.icir.org/bro/ticket/411>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list