mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
No description
b8ab0ebc22
The expire timeout for the http_sessions table is unnecessary and it
actually breaks http session semantics for long-lived sessions. The
connection_state_remove() event can take care of cleaning up unanswered
sessions.
If a HTTP transfer exceeds the expire timer, then once the expire timer
fires we get an "unanswered" HTTP request in http.log and once the
reply is done (http_reply_done event), it fails to locate the associated
request (because it expired) and thus results in an "unsolicited" HTTP
reply being logged (althoug they should be one http session).
There was a comment in the expire_function mentioning that without the
expire timer some requests don't show up with the test-suite. However,
after checking back with Robin, I could not reproduce this behavior.
(Actually there's one fewer request in the output without the
expire-timer, but this can be explained by the above observation, so
this is not an error but the way it should be).
This patch results in changes to test-suite output:
* Timestamps for unanswered HTTP replies differ for unanswered request
in the "short" test.
* Medium testcase (note: lines are sorted, they are not in the order)::
-902189670.828700 <unknown request> (0 "" [40880 (interrupted)])
-902189670.828700 GET /1998/b142.ps <no reply>
-902189670.828700 start <<IP>>:<<port>> <<IP>>:80
+902189670.828700 GET /1998/b142.ps (200 "OK" [40880 (interrupted)] <<a.host.name>>)
|
||
|---|---|---|
| aux | ||
| cmake | ||
| doc | ||
| policy | ||
| src | ||
| testing | ||
| .gitignore | ||
| .gitmodules | ||
| bro-path-dev.in | ||
| CHANGES | ||
| Checklist-for-Release | ||
| CMakeLists.txt | ||
| config.h.in | ||
| configure | ||
| COPYING | ||
| INSTALL | ||
| Makefile | ||
| README | ||
| VERSION | ||
This is release 1.6 of Bro, a system for detecting network intruders in
real-time using passive network monitoring.
Please see the file INSTALL for installation instructions and
pointers for getting started. For more documentation, see the
documentation on Bro's home page:
http://www.bro-ids.org/docs
The main parts of Bro's documentation are also available in the doc/
directory of the distribution. (Please note that the documentation
is still a work in progress; there will be more in future releases.)
Numerous other Bro-related publications, including a paper describing the
system, can be found at
http://www.bro-ids.org/publications.html
Send comments, etc., to the Bro mailing list, bro@bro-ids.org.
However, please note that you must first subscribe to the list in
order to be able to post to it.
- Vern Paxson & Robin Sommer, on behalf of the Bro development team
Lawrence Berkeley National Laboratory
University of California, Berkeley USA
ICSI Center for Internet Research (ICIR)
International Computer Science Institute
Berkeley, CA USA
vern@icir.org / robin@icir.org