[ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Johanna Amann updated BIT-1487: ------------------------------- Fix Version/s: 2.5 > protocols nested within HTTP CONNECT not properly detected when proxy adds > headers to 200 response > -------------------------------------------------------------------------------------------------- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro > Affects Versions: 2.4 > Reporter: Eric Karasuda > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, > output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: > Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it > instantiates a child analyzer and passes the rest of the server's response to > the child. In particular, this means the "Proxy-agent" header is treated as > the first data transmitted in the SSL handshake. As a result, protocol > detection fails. > The attached patch remembers that the HTTP 200 was received and only > instantiates the child analyzer when the newline is reached at the end of the > HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output > {{output-without-patch.tar.gz}} before applying the patch (note the absence > of ssl.log) and should output {{output-with-patch.tar.gz}} after applying > the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev