Johanna Amann created BIT-1364:
----------------------------------
Summary: Bro does not attach UDP analyzers when signature matches
after first packet
Key: BIT-1364
URL: https://bro-tracker.atlassian.net/browse/BIT-1364
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Affects Versions: git/master
Reporter: Johanna Amann
Fix For: 2.4
Attachments: f1.pcap, f2.pcap
At the moment, Bro only seems to attach UDP analyzers based on signatures, if
the very first UDP packet matches the signature. Even if later UDP packets
match the signature, the analyzer is not attached.
The attachments contain a test case. f1.pcap contains a DTLS connection with a
few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap
contains the same connection with the first few packets missing.
It would probably be nice if one could at least opt to attach analyzers at a
later time too, if a signature matches. (I know that 2.4 is probably a bit
optimistic for this).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
