[Bro-Dev] [JIRA] (BIT-1265) Single sided HTTP POST split
Johanna Amann (JIRA)
jira at bro-tracker.atlassian.net
Thu Oct 22 14:04:02 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1265?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Johanna Amann updated BIT-1265:
-------------------------------
Resolution: Won't Fix
Status: Closed (was: Open)
I am closing this for now. It is one of the well-known gotchas of the current Bro implementation, that it does not deal well with one-sided traffic.
We should fix that at some point in the future - however, it will not be forgotten and extends way beyond the issues indicated in this bug. If there is any more need for discussion, feel free to re-open.
> Single sided HTTP POST split
> ----------------------------
>
> Key: BIT-1265
> URL: https://bro-tracker.atlassian.net/browse/BIT-1265
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Fix For: 2.5
>
> Attachments: sample-upload2-all.pcap, sample-upload2-req.pcap
>
>
> Attached two pcap samples, one is a single sided version of the other, an HTTP POST.
> When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log
> Are there any parameters I can tweak to make this work?
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
More information about the bro-dev
mailing list