[Bro] Unanswered http post

Robin Sommer robin at icir.org
Mon Jul 7 08:53:05 PDT 2014


On Mon, Jul 07, 2014 at 17:21 +0200, daniel.guerra69 wrote:

> I have an unanswered HTTP post, this post contains username and
> password. The dpd signature only works when the post is answered.

Generally the DPD signatures trigger only if there's something looking
like the assumed protocol on either side of the connection; that's to
avoid attacks where a client generates tons of bogus traffic without
any server responding.

A more specific answer to your question depends on what exactly
"unanswered" means. If there's some reply from the server at all,
maybe we could tweak the DPD signature to take that into account.
Alternatively, you could add your own custom DPD signature that
matches on just client side traffic if that's what you prefer.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin



More information about the Bro mailing list