[Bro] Load Balancers

Bill Jones bill.jones at syntervision.com
Sat Feb 6 07:21:31 PST 2010


Hi everyone,

I was curious if anyone has any experience running bro between
load-balancers (such as Netscaler) and web applications.  We are
currently trying to get HTTP logs generated for a web application.  We
couldn't figure out why bro was not triggering the HTTP analyzer, but
I now believe that this is because it is never seeing the original SYN
+ SYN/ACK for the conversation.  When viewing the conversations in
Wireshark, I can see that all the TCP streams for this particular
application begin with the GET and do not include the initial 3-way
handshake.

Here is an entry in the conn.log for this stream which shows the states:

1265389087.849048 ? 10.19.120.12 10.19.2.78 http 2232 80 tcp 14785
604140 OTH X DdAa

Other web applications on the wire, which do have the 3-way handshake
visible for all connections, seem to work just fine and I get http
logs.

My questions are:

Am I correct in assuming that the lack of initial connection
establishment is why the HTTP analysis is never occurring (and
therefore I'm not getting entries in http.log)?

Is there a way to force bro to analyze the traffic even though there
is no proper 3-way handshake visible?


Thanks for your time,
Bill



More information about the Bro mailing list