[Bro-Dev] [Bro-Commits] [git/bro] topic/jsiwek/bit-1246: Fix issue w/ TCP reassembler not delivering some segments. (f1cef9d)
Siwek, Jon
jsiwek at illinois.edu
Fri Sep 12 06:44:34 PDT 2014
> On Sep 12, 2014, at 8:10 AM, Seth Hall <seth at icir.org> wrote:
>
> On Sep 11, 2014, at 11:59 AM, Jonathan Siwek <jsiwek at ncsa.illinois.edu> wrote:
>
>> + // Only report on content gaps for connections that
>> + // are in a cleanly established state. In other
>> + // states, these can arise falsely due to things
>> + // like sequence number mismatches in RSTs, or
>> + // unseen previous packets in partial connections.
>> + // The one opportunity we lose here is on clean FIN
>> + // handshakes, but Oh Well.
>
> If I'm reading this right, this seems like an undesirable outcome. If Bro starts and a connection is in the middle, does this mean we wouldn't see any content gaps for that connection?
Yes, I think that may be the case, but just for the content_gap event, not for telling analyzers there’s a gap in the stream. It’s adjustable by redef'ing BifConst::report_gaps_for_partial. It’s also not new behavior, that comment was attached to some already-existing code that I factored out in to a separate function so I could easily re-use it. Not giving judgement on what behavior should be the default, but changing it shouldn’t be done as part of what I was trying to fix in this commit.
- Jon
More information about the bro-dev
mailing list