[Bro-Dev] [JIRA] (BIT-1265) Single sided HTTP POST split

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Fri Oct 3 09:54:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18229#comment-18229 ] 

Jon Siwek commented on BIT-1265:

Might it be better to mark the connection as successful if data is sent?

Yeah, I think that's a nice idea -- seems kind of arbitrary for Bro to close the session if it knows one side is still actively sending data.

Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?

Yes, I think that would be a concern, but there's also several other timeout mechanisms (which are also tuneable) that I'm not immediately sure would come to the rescue even if the one in question was set high.

> Single sided HTTP POST split
> ----------------------------
>                 Key: BIT-1265
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1265
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: sample-upload2-all.pcap, sample-upload2-req.pcap
> Attached two pcap samples, one is a single sided version of the other, an HTTP POST.
> When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log
> Are there any parameters I can tweak to make this work?

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list