Eric Karasuda created BIT-1487:
----------------------------------
Summary: protocols nested within HTTP CONNECT not properly
detected when proxy adds headers to 200 response
Key: BIT-1487
URL: https://bro-tracker.atlassian.net/browse/BIT-1487
Project: Bro Issue Tracker
Issue Type: Patch
Components: Bro
Affects Versions: 2.4
Reporter: Eric Karasuda
Attachments: http-connect.patch, http-connect.pcap,
output-without-patch.tar.gz, output-with-patch.tar.gz
Failure scenario:
* a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
* the server responds HTTP 200
* the proxy adds a header to the server's response (e.g. "Proxy-agent:
Apache/2.4.16 (Unix)" in the attached pcap).
* SSL handshake proceeds
* Bro fails to identify the SSL handshake
As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates
a child analyzer and passes the rest of the server's response to the child. In
particular, this means the "Proxy-agent" header is treated as the first data
transmitted in the SSL handshake. As a result, protocol detection fails.
The attached patch remembers that the HTTP 200 was received and only
instantiates the child analyzer when the newline is reached at the end of the
HTTP message (e.g. after the "Proxy-agent" header).
Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
{{output-without-patch.tar.gz}} before applying the patch (note the absence of
ssl.log) and should output {{output-with-patch.tar.gz}} after applying the
patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
