[
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20213#comment-20213
]
Johanna Amann commented on BIT-1364:
------------------------------------
Ah, sorry - I was not aware that we already have a ticket like that. And yes,
that seems to be the same thing. I guess switching the pattern in this case
might work, it is specific enough that it is unlikely to match otherwhise. We
probably should still fix this sometime, it does not seem that that solution
would always be viable..
> Bro does not attach UDP analyzers when signature matches after first packet
> ---------------------------------------------------------------------------
>
> Key: BIT-1364
> URL: https://bro-tracker.atlassian.net/browse/BIT-1364
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Johanna Amann
> Fix For: 2.4
>
> Attachments: f1.pcap, f2.pcap
>
>
> At the moment, Bro only seems to attach UDP analyzers based on signatures, if
> the very first UDP packet matches the signature. Even if later UDP packets
> match the signature, the analyzer is not attached.
> The attachments contain a test case. f1.pcap contains a DTLS connection with
> a few STUN packets that are sent first, which is not recognized as DTLS.
> f2.pcap contains the same connection with the first few packets missing.
> It would probably be nice if one could at least opt to attach analyzers at a
> later time too, if a signature matches. (I know that 2.4 is probably a bit
> optimistic for this).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
