Hi everyone,
I used Bro to read a trace file that was captured from a local network. In
Bro's log files, the majority of log records are about
successful_RPC_reply_to_invalid_request and ContentGap. What situations can
cause these two alerts?
thanks
Bing
Hi everyone,
I used Bro to read a trace file that was captured from a local network. In
Bro's log files, the majority of log records are about
successful_RPC_reply_to_invalid_request and ContentGap. What situations can
cause these two alerts?
"successful_RPC_reply_to_invalid_request" is a deficiency to be fixed. Bro marks RPC requests that it does not understand as "invalid", and it gets bewildered when it sees the RPC server understands the requests. Please ignore this for now.
"ContentGap" is reported when a TCP segment is not seen but ACK'ed. There can be two cases: (1) most likely, some packets are not captured in the trace file; (2) packets are captured on two interfaces and occasionally get out of order such that some ACKs appear before the corresponding segments. There's little Bro can do with (1), but for (2), Bro can reorder the packets in a small window by TCP sequence number instead of timestamps (redef packet_sort_window = 1 sec).
I hope it helps.
Ruoming