Ticket #730 (new Problem)

Opened 5 months ago

Last modified 4 months ago

Find and fix tcp sequence counting bugs

Reported by: seth Owned by:
Priority: High Milestone: Bro2.1
Component: Bro Version:
Keywords: Cc:

Description

Sometimes the code that watches for tcp sequence wrap around will trigger erroneously and the payload value will be grossly misrepresented in the c$(resp|orig)$size fields.

Attachments

large-byte-count1.trace Download (943 bytes) - added by seth 4 months ago.

Change History

comment:1 Changed 4 months ago by seth

  • Priority changed from Normal to High

I'll try and get some tracefiles posted here soon that exhibit the problem.

comment:2 Changed 4 months ago by jswaro

If you can provide traces, I'd be interested in assisting in fixing this
problem. I have a problem similar to this that I am working on, which I
imagine a solution to one would solve the other if I'm not mistaken.

On Wed, Jan 18, 2012 at 4:33 PM, Bro Tracker <bro@…>wrote:

#730: Find and fix tcp sequence counting bugs

Reporter: seth | Owner:

Type: Problem | Status: new

Priority: High | Milestone: Bro2.1

Component: Bro | Version:

Resolution: | Keywords:

Changes (by seth):

  • priority: Normal => High

Comment:

I'll try and get some tracefiles posted here soon that exhibit the
problem.

--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/730#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

_
bro-dev mailing list
bro-dev@…
 http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Changed 4 months ago by seth

comment:3 Changed 4 months ago by seth

I attached a trace file that exhibits the problem. There is some intermediate box that is sending RST packets in this case causing the large byte count.

Note: See TracTickets for help on using tickets.