[
https://bro-tracker.atlassian.net/browse/BIT-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1492:
-------------------------------
Fix Version/s: 2.5
> Analyzers fail to attach when SYN missing
> -----------------------------------------
>
> Key: BIT-1492
> URL: https://bro-tracker.atlassian.net/browse/BIT-1492
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BinPAC, Bro
> Affects Versions: git/master, 2.4
> Reporter: Michal Purzynski
> Priority: High
> Fix For: 2.5
>
> Attachments: https_no_syn.pcap, https.pcap
>
>
> When the initial SYN packet is missing from the TCP connections, the conn.log
> gets creates but no analyzers are attached.
> 1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872
> 63.245.215.20 443 tcp - 1.608599 811 4856 SF -
> - 0 hADadFRf 8 1131 9 5228 (empty)
> I've crafted the pcap to include a full session of wget https://mozilla.org
> and removed the initial SYN. SSL analyzer failed to attach. I can confirm the
> same behavior with other analyzers, too (tested HTTP).
> I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a
> little bit? Like, allow the analyzer to continue, because it kind of looks
> like TCP. Kind of ;)
> tshark is happy to tell me there is SSL inside, so looks like there is a hope.
> 1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443→54872 [SYN, ACK]
> Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
> 2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=1
> Ack=1 Win=53248 Len=0
> 3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello
> 4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [ACK] Seq=1
> Ack=522 Win=16384 Len=0
> 5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello
> 6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a
> reassembled PDU]
> 7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=522
> Ack=2921 Win=53248 Len=0
> 8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate
> 9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange,
> Change Cipher Spec, Hello Request, Hello Request
> 10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec,
> Encrypted Handshake Message
> 11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data
> 12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data
> 13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=812
> Ack=4826 Win=53248 Len=0
> 14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [FIN, ACK]
> Seq=812 Ack=4826 Win=53248 Len=0
> 15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert
> 16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [RST, ACK]
> Seq=813 Ack=4857 Win=0 Len=0
> 17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [FIN, ACK]
> Seq=4857 Ack=813 Win=17408 Len=0
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
