[
https://bro-tracker.atlassian.net/browse/BIT-1255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18111#comment-18111
]
Jimmy Jones commented on BIT-1255:
----------------------------------
I shall pay closer attention to weird.log in the future! Will tweak my
production system, thanks.
Based on very little understanding of how Bro's tcp reassembly works... instead
of giving up, would it be preferable to signal a gap and carry on processing
the rest of the connection?
> TCP reassembly issue
> --------------------
>
> Key: BIT-1255
> URL: https://bro-tracker.atlassian.net/browse/BIT-1255
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master, 2.3
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: out.pcap
>
>
> Been testing bro with some messy (but valid) TCP streams, using docker and
> netem (happy to upload a gist if people are interested).
> The attached file reassembles correctly in wireshark, but bro only gives the
> first 4069 bytes when extracted with the file analysis framework, and
> obviously the wrong hash (md5 is the URI).
--
This message was sent by Atlassian JIRA
(v6.4-OD-05-008#64003)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
