[Bro] How to do with Bro 2.1
Seth Hall
seth at icir.org
Fri Oct 5 21:26:21 PDT 2012
On Oct 5, 2012, at 11:59 PM, keqhe at cs.wisc.edu wrote:
>> However, there are a large number of http
> handshake flows such as "SYN-SYN/ACK-ACK". These flows mean there is no
> data, but strictly speaking, they should be regarded as http traffic
> although they carry no data.
I don't agree that it should be regarded as HTTP traffic. Just because you have a wine glass doesn't mean it's full of wine. :)
Typically the "service" field in the conn log is supposed to be understood as the protocol analyzer or analyzers that Bro used upon the connection successfully (since it can try analyzers and allow them to fail then remove them).
> Besides, I observe that Bro2.1 can only classify flows who can complete
> three-way handshake successfully. If the flow is incomplete, Bro 2.1 do
> nothing to try to identify application layer protocols. Is it possible
> for us users to modify this?
This is a known issue and something that we've been planning on addressing in a generic way soon so that the analyzers will be able to "re-sync" to the traffic. There is a ticket somewhere in our tracker about it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list