[Bro] Load Balancers
Bill Jones
bill.jones at syntervision.com
Sat Feb 6 07:21:31 PST 2010
Hi everyone,
I was curious if anyone has any experience running bro between
load-balancers (such as Netscaler) and web applications. We are
currently trying to get HTTP logs generated for a web application. We
couldn't figure out why bro was not triggering the HTTP analyzer, but
I now believe that this is because it is never seeing the original SYN
+ SYN/ACK for the conversation. When viewing the conversations in
Wireshark, I can see that all the TCP streams for this particular
application begin with the GET and do not include the initial 3-way
handshake.
Here is an entry in the conn.log for this stream which shows the states:
1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
604140 OTH X DdAa
Other web applications on the wire, which do have the 3-way handshake
visible for all connections, seem to work just fine and I get http
logs.
My questions are:
Am I correct in assuming that the lack of initial connection
establishment is why the HTTP analysis is never occurring (and
therefore I'm not getting entries in http.log)?
Is there a way to force bro to analyze the traffic even though there
is no proper 3-way handshake visible?
Thanks for your time,
Bill
More information about the Bro
mailing list