[Bro-Dev] [JIRA] (BIT-1257) Same file id generated for potentially different files

Seth Hall (JIRA) jira at bro-tracker.atlassian.net
Fri Sep 26 07:04:07 PDT 2014

    [ https://bro-tracker.atlassian.net/browse/BIT-1257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18212#comment-18212 ] 

Seth Hall commented on BIT-1257:

The tests that are merging multiple files into one are actually working exactly like they're supposed to.  With the change you made, you will end up with two chunks of the file if you enable extraction but if you leave it as it is you will end up with one file that just happened to be transferred over two connections and reassembled back into the single original file.

This is definitely an area where there isn't a right answer so we just have to go based on experience of what's happening in real traffic and we definitely see this sort of stuff in real traffic.  Also, if you don't like Bro's behavior, you can run your own script (without modifying any of the shipped scripts) that gives you the behavior you're looking for.  Did you understand my suggestion about doing your own get_file_handle function and registering that at the begging of this ticket?

> Same file id generated for potentially different files
> ------------------------------------------------------
>                 Key: BIT-1257
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1257
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master, 2.3
>         Environment: CentOS 6
>            Reporter: Jimmy Jones
>         Attachments: fa.bro, sample-samefileid.pcap
> Attached sample contains two HTTP downloads of the same URL from the same client, but there are no guarantees that the files is actually the same (no Etags etc - in this case it actually is the same, but lets pretend they were different...). However the file analysis framework seems to give the same file ID in file_name and file_chunk for both downloads.
> Think this is something to do with Range requests as doesn't happen if do "normal" HTTP requests.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list