All,
When running Bro, I see a lot of midstream sessions due to long lived TCP connections that have connected before starting Bro. The Bro conn state is correct “OTH” but I would like to inspect the streams that are in progress. Is there a recommended way to process midstream TCP with Bro?
For a test I modified HTTP_Analyzer::DeliverStream to allow midsteam inspection.
if ( TCP() && TCP()->IsPartial() )
- return;