[Bro] successful_RPC_reply_to_invalid_request and ContentGap
rpang at cs.princeton.edu
Mon Aug 29 11:47:42 PDT 2005
> Hi everyone,
> I used Bro to read a trace file that was captured from a local
> network. In
> Bro's log files, the majority of log records are about
> successful_RPC_reply_to_invalid_request and ContentGap. What
> situations can
> cause these two alerts?
"successful_RPC_reply_to_invalid_request" is a deficiency to be fixed.
Bro marks RPC requests that it does not understand as "invalid", and it
gets bewildered when it sees the RPC server understands the requests.
Please ignore this for now.
"ContentGap" is reported when a TCP segment is not seen but ACK'ed.
There can be two cases: (1) most likely, some packets are not captured
in the trace file; (2) packets are captured on two interfaces and
occasionally get out of order such that some ACKs appear before the
corresponding segments. There's little Bro can do with (1), but for (2),
Bro can reorder the packets in a small window by TCP sequence number
instead of timestamps (redef packet_sort_window = 1 sec).
I hope it helps.
More information about the Bro