[
https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20214#comment-20214
]
Jon Siwek commented on BIT-1364:
--------------------------------
Yeah, should do a real fix; just wanted to mention the workaround in case
that's a more viable option to make it in to 2.4.
> Bro does not attach UDP analyzers when signature matches after first packet
> ---------------------------------------------------------------------------
>
> Key: BIT-1364
> URL: https://bro-tracker.atlassian.net/browse/BIT-1364
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Johanna Amann
> Fix For: 2.4
>
> Attachments: f1.pcap, f2.pcap
>
>
> At the moment, Bro only seems to attach UDP analyzers based on signatures, if
> the very first UDP packet matches the signature. Even if later UDP packets
> match the signature, the analyzer is not attached.
> The attachments contain a test case. f1.pcap contains a DTLS connection with
> a few STUN packets that are sent first, which is not recognized as DTLS.
> f2.pcap contains the same connection with the first few packets missing.
> It would probably be nice if one could at least opt to attach analyzers at a
> later time too, if a signature matches. (I know that 2.4 is probably a bit
> optimistic for this).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
