Change in behaviour of connection$resp$size

Description

Bro 2.3-136 and 2.3-178 give different values for connection$resp$size, possibly as a result of BIT-1246. From the documentation https://www.bro.org/sphinx-git/scripts/base/init-bare.bro.html#type-endpoint I'd expect it to be unaffected by missing packets, but the later version appears to be.

Environment

CentOS 6

Activity

Show:
Jon Siwek
September 22, 2014, 6:04 PM

Yes, the change from could cause the same data to be delivered twice in some cases, so your sample was triggering http_message_done at an earlier point than it should have (the content-length was being hit sooner due to the duplicate data sent for HTTP analysis). Should be fixed now in git/master.

Assignee

Unassigned

Reporter

Jimmy Jones

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure