[Bro-Dev] [JIRA] (BIT-1179) HTTP messages missing in files.log
Jon Siwek (JIRA)
jira at bro-tracker.atlassian.net
Wed Apr 9 13:32:07 PDT 2014
[ https://bro-tracker.atlassian.net/browse/BIT-1179?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16110#comment-16110 ]
Jon Siwek commented on BIT-1179:
--------------------------------
There's a missing TCP segment in the middle of that pcap that looks like it would have contained an HTTP reply. And the thing about the HTTP analyzer seems to be that it stops parsing the rest of the connection if there's a gap that's not isolated to an HTTP message body. So two files end up being pushed from the HTTP analyzer over to the file analysis stuff, then the HTTP analyzer stops parsing anything else due to the missing TCP segment.
Since that seems intentional and it's an HTTP analysis limitation not a file analysis bug, think there's anything to do here right now?
> HTTP messages missing in files.log
> ----------------------------------
>
> Key: BIT-1179
> URL: https://bro-tracker.atlassian.net/browse/BIT-1179
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Reporter: Robin Sommer
> Assignee: Jon Siwek
> Fix For: 2.3
>
>
> I have a trace with multiple HTTP requests inside a persistent HTTP session. for which only the first two appear in files.log, the remaining ones are missing. Looks like a bug.
--
This message was sent by Atlassian JIRA
(v6.3-OD-02-026#6318)
More information about the bro-dev
mailing list