Single sided HTTP POST split
Description
Attached two pcap samples, one is a single sided version of the other, an HTTP POST.
When I process the single sided version (sample-upload2-req) conn.log shows two sessions (the HTTP POST tcp connection that has been split) and http.log shows a partial upload. However processing the original sample (sample-upload2-all) everything is as expected - one connection in conn.log and a complete http.log
Are there any parameters I can tweak to make this work?
Environment
CentOS 6
Activity
Might it be better to mark the connection as successful if data is sent?
Yeah, I think that's a nice idea – seems kind of arbitrary for Bro to close the session if it knows one side is still actively sending data.
Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?
Yes, I think that would be a concern, but there's also several other timeout mechanisms (which are also tuneable) that I'm not immediately sure would come to the rescue even if the one in question was set high.
Thanks!
Might it be better to mark the connection as successful if data is sent? Again, for the single sided case, which I'm not sure how many people are worried about/notice? Otherwise have to set this to a large number, to cover longest possible TCP sessions, but presumably has a big impact on memory usage, as "lone" SYN's will keep state?
tcp_attempt_delay seems to be the relevant option.
Related: connection_attempt
Assignee
Reporter
Labels
External issue ID
Components
Fix versions
Affects versions
Priority
