[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-1364: --- Resolution: Duplicate Status: Closed (was: Open) Duplicate of BIT-844. I tested the patch mentioned in that ticket against the DTLS examples in this ticket and it seemed to work, please double check that if you can. Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1364: - Assignee: Jon Siwek Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Assignee: Jon Siwek Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer updated BIT-1364: -- Priority: Low (was: Normal) Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Priority: Low Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20211#comment-20211 ] Jon Siwek commented on BIT-1364: Same thing as BIT-844 ? I think the agreement was that UDP signature matching does currently have a problem and it should match packet-wise. It's an ugly workaround, but prefixing .* instead of ^ to the signature should cause matches on any packet (but also possibly mismatches if the pattern appears within a packet's payload). Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20213#comment-20213 ] Johanna Amann commented on BIT-1364: Ah, sorry - I was not aware that we already have a ticket like that. And yes, that seems to be the same thing. I guess switching the pattern in this case might work, it is specific enough that it is unlikely to match otherwhise. We probably should still fix this sometime, it does not seem that that solution would always be viable.. Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
[ https://bro-tracker.atlassian.net/browse/BIT-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20214#comment-20214 ] Jon Siwek commented on BIT-1364: Yeah, should do a real fix; just wanted to mention the workaround in case that's a more viable option to make it in to 2.4. Bro does not attach UDP analyzers when signature matches after first packet --- Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1364) Bro does not attach UDP analyzers when signature matches after first packet
Johanna Amann created BIT-1364: -- Summary: Bro does not attach UDP analyzers when signature matches after first packet Key: BIT-1364 URL: https://bro-tracker.atlassian.net/browse/BIT-1364 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Johanna Amann Fix For: 2.4 Attachments: f1.pcap, f2.pcap At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached. The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing. It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
