Ticket #354 (new Feature Request)
Allow analyser to process partial HTTP connections.
| Reported by: | sridhar.basam | Owned by: | |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | Bro | Version: | |
| Keywords: | Cc: |
Description (last modified by seth) (diff)
By default the HTTP analyser doesn't process packets where bro did not see the initial handshake. I got a couple of 1 line patches from Vern to fix it. Can we roll this into a future release?
Sridhar
Attachments
-
bro_partial.txt
(648 bytes) -
added by sridhar.basam 17 months ago.
Change History
comment:1 Changed 17 months ago by seth
- Description modified (diff)
This is a fairly large change in semantics for how Bro currently functions and I'm curious what your motivation for this change is. Can you give an example of the conditions where this is causing a problem for you?
comment:2 Changed 17 months ago by seth
From Sridhar:
I have applications which use a persistant HTTP connections to
talk to upstream services. These connections live for a really long
time, thousands/tens of thousands of requests on a single tcp
connection. I use bro to analyse http request and replies for these
applications. I need the ability to run the analyser for these
partial connections in the pcap file.
Ah! I totally understand your frustration with this behavior then. We'll make sure and discuss this for the 1.6 release. It's definitely not going to make it into a 1.5.x release for the reasons that Robin mentioned previously.
Thanks for following up. That's a great example for this ticket.
.Seth