[
https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1487:
-------------------------------
Fix Version/s: 2.5
> protocols nested within HTTP CONNECT not properly detected when proxy adds
> headers to 200 response
> --------------------------------------------------------------------------------------------------
>
> Key: BIT-1487
> URL: https://bro-tracker.atlassian.net/browse/BIT-1487
> Project: Bro Issue Tracker
> Issue Type: Patch
> Components: Bro
> Affects Versions: 2.4
> Reporter: Eric Karasuda
> Fix For: 2.5
>
> Attachments: http-connect.patch, http-connect.pcap,
> output-without-patch.tar.gz, output-with-patch.tar.gz
>
>
> Failure scenario:
> * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
> * the server responds HTTP 200
> * the proxy adds a header to the server's response (e.g. "Proxy-agent:
> Apache/2.4.16 (Unix)" in the attached pcap).
> * SSL handshake proceeds
> * Bro fails to identify the SSL handshake
> As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it
> instantiates a child analyzer and passes the rest of the server's response to
> the child. In particular, this means the "Proxy-agent" header is treated as
> the first data transmitted in the SSL handshake. As a result, protocol
> detection fails.
> The attached patch remembers that the HTTP 200 was received and only
> instantiates the child analyzer when the newline is reached at the end of the
> HTTP message (e.g. after the "Proxy-agent" header).
> Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
> {{output-without-patch.tar.gz}} before applying the patch (note the absence
> of ssl.log) and should output {{output-with-patch.tar.gz}} after applying
> the patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
