[Bro-Dev] [JIRA] (BIT-1264) HTTP response not detected on nonstandard port

Jimmy Jones (JIRA) jira at bro-tracker.atlassian.net
Fri Oct 3 08:27:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18225#comment-18225 ] 

Jimmy Jones commented on BIT-1264:

Is it possible for bro to infer the packets belong to a responder, because the connection started with a SYN+ACK rather than just a SYN? Or is that a major change for an edge case, although not unheard of on SPAN ports?

> HTTP response not detected on nonstandard port
> ----------------------------------------------
>                 Key: BIT-1264
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1264
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: relaxed.bro, relaxed-http.sig, sample-small2-rsp.pcap, sample-small-rsp.pcap
> Using the attached bro script I've tweaked the HTTP signature to match on http responses without the corresponding HTTP request TCP session. I know in a proper setup you should never get single sided traffic, but certainly when using bro as a tool you have to deal with it sometimes.
> Bro handles this fine when the HTTP is on port 80, but not when on port 4321 (see attached PCAPs). I'm curious as to why?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list