Johanna Amann created BIT-1364:
Summary: Bro does not attach UDP analyzers when signature matches after first
Project: Bro Issue Tracker
Issue Type: Problem
Affects Versions: git/master
Reporter: Johanna Amann
Fix For: 2.4
Attachments: f1.pcap, f2.pcap
At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very
first UDP packet matches the signature. Even if later UDP packets match the signature, the
analyzer is not attached.
The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN
packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same
connection with the first few packets missing.
It would probably be nice if one could at least opt to attach analyzers at a later time
too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this).
This message was sent by Atlassian JIRA