[Bro-Dev] #454: Handwritten HTTP analyzer fails in ambiguous case
Bro Tracker
bro at tracker.icir.org
Tue May 10 13:52:10 PDT 2011
#454: Handwritten HTTP analyzer fails in ambiguous case
-------------------------------+-----------------
Reporter: seth | Owner:
Type: Test Case Missing | Status: new
Priority: Low | Milestone:
Component: Bro | Version:
Keywords: strange |
-------------------------------+-----------------
The handwritten HTTP analyzer has trouble with the attached tracefile at
the end of the response body. The server is returning "\n\r\n" instead of
the expected "\r\n\r\n" and the first newline is passed into the
http_entity_data event.
According to the Content-Length header, this initial \n must be part of
the end of data indicator and not a newline in the response body.
I'm not filing this as something to be fixed (because browsers seem to
have trouble with it too) but rather documenting it as a strange edge case
that we may want to cope with in the future since there seem to be web
servers actively behaving this way.
To get a glimpse at the problem you can run the following command::
{{{
curl http://webcs.msg.yahoo.com/crossdomain.xml | hexdump
}}}
--
Ticket URL: <http://tracker.icir.org/bro/ticket/454>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list