[Bro-Dev] [JIRA] (BIT-1264) HTTP response not detected on nonstandard port

Jimmy Jones (JIRA) jira at bro-tracker.atlassian.net
Fri Oct 3 08:27:07 PDT 2014


    [ https://bro-tracker.atlassian.net/browse/BIT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18225#comment-18225 ] 

Jimmy Jones commented on BIT-1264:
----------------------------------

Is it possible for bro to infer the packets belong to a responder, because the connection started with a SYN+ACK rather than just a SYN? Or is that a major change for an edge case, although not unheard of on SPAN ports?

> HTTP response not detected on nonstandard port
> ----------------------------------------------
>
>                 Key: BIT-1264
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1264
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: relaxed.bro, relaxed-http.sig, sample-small2-rsp.pcap, sample-small-rsp.pcap
>
>
> Using the attached bro script I've tweaked the HTTP signature to match on http responses without the corresponding HTTP request TCP session. I know in a proper setup you should never get single sided traffic, but certainly when using bro as a tool you have to deal with it sometimes.
> Bro handles this fine when the HTTP is on port 80, but not when on port 4321 (see attached PCAPs). I'm curious as to why?



--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)


More information about the bro-dev mailing list