[Bro] Load Balancers
Vern Paxson
vern at icir.org
Sat Feb 6 12:52:19 PST 2010
> Am I correct in assuming that the lack of initial connection
> establishment is why the HTTP analysis is never occurring (and
> therefore I'm not getting entries in http.log)?
Yes. The appended patch should cause the analyzer to function anyway.
> Thanks for the response. I do actually see a "Connection:
> Keep-Alive\r\n" in the GET packet. From this, can I assume that a
> persistent connection is being held, thus the confusion by bro?
That's doubtless what's happening. (FYI, seeing that from the client side
it's just a request, than necessarily imposed on the connection. However,
in the setup you describe, surely the server is accepting this, and hence
the seemingly missing SYNs for later requests.)
Vern
Index: src/HTTP.cc
===================================================================
--- src/HTTP.cc (revision 6971)
+++ src/HTTP.cc (working copy)
@@ -753,7 +753,7 @@
AddSupportAnalyzer(content_line_orig);
content_line_resp = new ContentLine_Analyzer(conn, false);
- content_line_resp->SetSkipPartial(true);
+ // content_line_resp->SetSkipPartial(true);
AddSupportAnalyzer(content_line_resp);
}
@@ -794,8 +794,8 @@
{
TCP_ApplicationAnalyzer::DeliverStream(len, data, is_orig);
- if ( TCP() && TCP()->IsPartial() )
- return;
+ // if ( TCP() && TCP()->IsPartial() )
+ // return;
const char* line = reinterpret_cast<const char*>(data);
const char* end_of_line = line + len;
More information about the Bro
mailing list