[Bro-Dev] [JIRA] (BIT-1264) HTTP response not detected on nonstandard port

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Fri Oct 3 09:41:07 PDT 2014


    [ https://bro-tracker.atlassian.net/browse/BIT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18228#comment-18228 ] 

Jon Siwek commented on BIT-1264:
--------------------------------

{quote}
Is it possible for bro to infer the packets belong to a responder, because the connection started with a SYN+ACK rather than just a SYN? Or is that a major change for an edge case, although not unheard of on SPAN ports?
{quote}

It is possible to do that: you can take a look at BIT-1236 which mentions a branch that implements that change, but it isn't 100% accurate (check out the github pull request comments also linked in that ticket).  Haven't yet revisited to see if something more can be done and not sure right now how deep the changes would be to improve it.

> HTTP response not detected on nonstandard port
> ----------------------------------------------
>
>                 Key: BIT-1264
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1264
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: relaxed.bro, relaxed-http.sig, sample-small2-rsp.pcap, sample-small-rsp.pcap
>
>
> Using the attached bro script I've tweaked the HTTP signature to match on http responses without the corresponding HTTP request TCP session. I know in a proper setup you should never get single sided traffic, but certainly when using bro as a tool you have to deal with it sometimes.
> Bro handles this fine when the HTTP is on port 80, but not when on port 4321 (see attached PCAPs). I'm curious as to why?



--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)


More information about the bro-dev mailing list