[Bro-Dev] [JIRA] (BIT-1248) TCP gaps inserted in wrong place in HTTP range request

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Thu Sep 11 10:31:08 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1248?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011#comment-18011 ] 

Jon Siwek commented on BIT-1248:

Yeah, looked like the problem here was what you were thinking.  Branch "topic/jsiwek/bit-1248" has a fix in it (includes changes from BIT-1240 and BIT-1246).

> TCP gaps inserted in wrong place in HTTP range request
> ------------------------------------------------------
>                 Key: BIT-1248
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1248
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: http-range-hole1.pcap, http-range.pcap
> See attached testcases, one with packet #10 missing.
> Putting this through the file extraction framework with the script below, the hole is not inserted at the correct point (the data either side of the hole is side by side). I believe this may be because HTTP.cc calls DataIn with an offset argument, which isn't updated for missing packets.
> Bug still exists with BIT-1240 applied.
> event file_new(f: fa_file)
> { Files::add_analyzer(f, Files::ANALYZER_EXTRACT, [$extract_filename=f$id]); } 

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list