Bro does not attach UDP analyzers when signature matches after first packet


At the moment, Bro only seems to attach UDP analyzers based on signatures, if the very first UDP packet matches the signature. Even if later UDP packets match the signature, the analyzer is not attached.

The attachments contain a test case. f1.pcap contains a DTLS connection with a few STUN packets that are sent first, which is not recognized as DTLS. f2.pcap contains the same connection with the first few packets missing.

It would probably be nice if one could at least opt to attach analyzers at a later time too, if a signature matches. (I know that 2.4 is probably a bit optimistic for this).




Jon Siwek
April 6, 2015, 8:59 PM

Duplicate of BIT-844.

I tested the patch mentioned in that ticket against the DTLS examples in this ticket and it seemed to work, please double check that if you can.

Jon Siwek
April 1, 2015, 5:07 PM

Yeah, should do a real fix; just wanted to mention the workaround in case that's a more viable option to make it in to 2.4.

Johanna Amann
April 1, 2015, 3:10 PM

Ah, sorry - I was not aware that we already have a ticket like that. And yes, that seems to be the same thing. I guess switching the pattern in this case might work, it is specific enough that it is unlikely to match otherwhise. We probably should still fix this sometime, it does not seem that that solution would always be viable..

Jon Siwek
April 1, 2015, 2:35 PM

Same thing as ?

I think the agreement was that UDP signature matching does currently have a problem and it should match packet-wise. It's an ugly workaround, but prefixing ".*" instead of "^" to the signature should cause matches on any packet (but also possibly mismatches if the pattern appears within a packet's payload).



Jon Siwek


Johanna Amann



External issue ID



Fix versions

Affects versions