Single sided HTTP POST split
Attached two pcap samples, one is a single sided version of the other, an HTTP POST.
When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log
Are there any parameters I can tweak to make this work?
I am closing this for now. It is one of the well-known gotchas of the current Bro implementation, that it does not deal well with one-sided traffic.
We should fix that at some point in the future - however, it will not be forgotten and extends way beyond the issues indicated in this bug. If there is any more need for discussion, feel free to re-open.
Might it be better to mark the connection as successful if data is sent?
Yeah, I think that's a nice idea – seems kind of arbitrary for Bro to close the session if it knows one side is still actively sending data.
Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?
Yes, I think that would be a concern, but there's also several other timeout mechanisms (which are also tuneable) that I'm not immediately sure would come to the rescue even if the one in question was set high.
Might it be better to mark the connection as successful if data is sent? Again, for the single sided case, which I'm not sure how many people are worried about/notice? Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?