[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20211#comment-20211 ]
Jon Siwek commented on BIT-1364: -------------------------------- Same thing as BIT-844 ? I think the agreement was that UDP signature matching does currently have a problem and it should match packet-wise. It's an ugly workaround, but prefixing ".*" instead of "^" to the signature should cause matches on any packet (but also possibly mismatches if the pattern appears within a packet's payload). > Bro does not attach UDP analyzers when signature matches after first packet > --------------------------------------------------------------------------- > > Key: BIT-1364 > URL: https://bro-tracker.atlassian.net/browse/BIT-1364 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Johanna Amann > Fix For: 2.4 > > Attachments: f1.pcap, f2.pcap > > > At the moment, Bro only seems to attach UDP analyzers based on signatures, if > the very first UDP packet matches the signature. Even if later UDP packets > match the signature, the analyzer is not attached. > The attachments contain a test case. f1.pcap contains a DTLS connection with > a few STUN packets that are sent first, which is not recognized as DTLS. > f2.pcap contains the same connection with the first few packets missing. > It would probably be nice if one could at least opt to attach analyzers at a > later time too, if a signature matches. (I know that 2.4 is probably a bit > optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev