[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[
https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1487:
---
Resolution: Merged (was: Fixed)
Status: Closed (was: Merge Request)
Merged in c151a258438d62a0aa5202192d84deb62d53f4bd
> protocols nested within HTTP CONNECT not properly detected when proxy adds
> headers to 200 response
> --
>
> Key: BIT-1487
> URL: https://bro-tracker.atlassian.net/browse/BIT-1487
> Project: Bro Issue Tracker
> Issue Type: Patch
> Components: Bro
>Affects Versions: 2.4
>Reporter: Eric Karasuda
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: http-connect.patch, http-connect.pcap,
> output-without-patch.tar.gz, output-with-patch.tar.gz
>
>
> Failure scenario:
> * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
> * the server responds HTTP 200
> * the proxy adds a header to the server's response (e.g. "Proxy-agent:
> Apache/2.4.16 (Unix)" in the attached pcap).
> * SSL handshake proceeds
> * Bro fails to identify the SSL handshake
> As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it
> instantiates a child analyzer and passes the rest of the server's response to
> the child. In particular, this means the "Proxy-agent" header is treated as
> the first data transmitted in the SSL handshake. As a result, protocol
> detection fails.
> The attached patch remembers that the HTTP 200 was received and only
> instantiates the child analyzer when the newline is reached at the end of the
> HTTP message (e.g. after the "Proxy-agent" header).
> Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
> {{output-without-patch.tar.gz}} before applying the patch (note the absence
> of ssl.log) and should output {{output-with-patch.tar.gz}} after applying
> the patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[
https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robin Sommer reassigned BIT-1487:
-
Assignee: Robin Sommer
> protocols nested within HTTP CONNECT not properly detected when proxy adds
> headers to 200 response
> --
>
> Key: BIT-1487
> URL: https://bro-tracker.atlassian.net/browse/BIT-1487
> Project: Bro Issue Tracker
> Issue Type: Patch
> Components: Bro
>Affects Versions: 2.4
>Reporter: Eric Karasuda
>Assignee: Robin Sommer
> Fix For: 2.5
>
> Attachments: http-connect.patch, http-connect.pcap,
> output-without-patch.tar.gz, output-with-patch.tar.gz
>
>
> Failure scenario:
> * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
> * the server responds HTTP 200
> * the proxy adds a header to the server's response (e.g. "Proxy-agent:
> Apache/2.4.16 (Unix)" in the attached pcap).
> * SSL handshake proceeds
> * Bro fails to identify the SSL handshake
> As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it
> instantiates a child analyzer and passes the rest of the server's response to
> the child. In particular, this means the "Proxy-agent" header is treated as
> the first data transmitted in the SSL handshake. As a result, protocol
> detection fails.
> The attached patch remembers that the HTTP 200 was received and only
> instantiates the child analyzer when the newline is reached at the end of the
> HTTP message (e.g. after the "Proxy-agent" header).
> Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
> {{output-without-patch.tar.gz}} before applying the patch (note the absence
> of ssl.log) and should output {{output-with-patch.tar.gz}} after applying
> the patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[
https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Johanna Amann updated BIT-1487:
---
Status: Merge Request (was: Open)
> protocols nested within HTTP CONNECT not properly detected when proxy adds
> headers to 200 response
> --
>
> Key: BIT-1487
> URL: https://bro-tracker.atlassian.net/browse/BIT-1487
> Project: Bro Issue Tracker
> Issue Type: Patch
> Components: Bro
>Affects Versions: 2.4
>Reporter: Eric Karasuda
> Fix For: 2.5
>
> Attachments: http-connect.patch, http-connect.pcap,
> output-without-patch.tar.gz, output-with-patch.tar.gz
>
>
> Failure scenario:
> * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
> * the server responds HTTP 200
> * the proxy adds a header to the server's response (e.g. "Proxy-agent:
> Apache/2.4.16 (Unix)" in the attached pcap).
> * SSL handshake proceeds
> * Bro fails to identify the SSL handshake
> As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it
> instantiates a child analyzer and passes the rest of the server's response to
> the child. In particular, this means the "Proxy-agent" header is treated as
> the first data transmitted in the SSL handshake. As a result, protocol
> detection fails.
> The attached patch remembers that the HTTP 200 was received and only
> instantiates the child analyzer when the newline is reached at the end of the
> HTTP message (e.g. after the "Proxy-agent" header).
> Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
> {{output-without-patch.tar.gz}} before applying the patch (note the absence
> of ssl.log) and should output {{output-with-patch.tar.gz}} after applying
> the patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
Eric Karasuda created BIT-1487:
--
Summary: protocols nested within HTTP CONNECT not properly
detected when proxy adds headers to 200 response
Key: BIT-1487
URL: https://bro-tracker.atlassian.net/browse/BIT-1487
Project: Bro Issue Tracker
Issue Type: Patch
Components: Bro
Affects Versions: 2.4
Reporter: Eric Karasuda
Attachments: http-connect.patch, http-connect.pcap,
output-without-patch.tar.gz, output-with-patch.tar.gz
Failure scenario:
* a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443
* the server responds HTTP 200
* the proxy adds a header to the server's response (e.g. "Proxy-agent:
Apache/2.4.16 (Unix)" in the attached pcap).
* SSL handshake proceeds
* Bro fails to identify the SSL handshake
As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates
a child analyzer and passes the rest of the server's response to the child. In
particular, this means the "Proxy-agent" header is treated as the first data
transmitted in the SSL handshake. As a result, protocol detection fails.
The attached patch remembers that the HTTP 200 was received and only
instantiates the child analyzer when the newline is reached at the end of the
HTTP message (e.g. after the "Proxy-agent" header).
Running {{bro -C -r http-connect.pcap}} with the attached pcap should output
{{output-without-patch.tar.gz}} before applying the patch (note the absence of
ssl.log) and should output {{output-with-patch.tar.gz}} after applying the
patch.
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-07-011#70107)
___
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
