[Bro] Option to make Bro willing to decode http sessions not preceded by tcp handshake?
Kevin Branch
kevin at branchnetconsulting.com
Thu Sep 1 06:54:33 PDT 2016
I use Bro in the context of Security Onion, and I find that recurrently
session extraction with capME
does not get the whole session, especially with tcp/80 connections that
might be kept alive for several minutes while servicing multiple http
requests. The extracted subset of the session packets are valid http
requests and replies, but Bro does not decode them as http, only as a
tcp/80 connection, if the tcp handshake packets are not at the start of the
pcap.
For example, with a pcap containing just a single http request packet or a
request and reply packet, this command outputs no http session data and
writes no http.log file.
bro -r /example.cap /opt/bro/share/bro/sguild_bro/TCPUDPFlow.bro
but if that pcap has the 3 tcp handshake packets at the front, Bro outputs
session data and an http.log file.
I assume that Bro does not consider a stream of tcp/80 packets to be valid
http traffic if the tcp handshake is missing. Is there any way to ask Bro
to be more forgiving about this? Perhaps a no_sweat_the_handshake option?
If so, I believe it would substantially cut down on the number of capME
failures experienced by Security Onion users.
Thanks,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160901/36ce4bf9/attachment.html
More information about the Bro
mailing list