[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1487: --- Resolution: Merged (was: Fixed) Status: Closed (was: Merge Request) Merged in c151a258438d62a0aa5202192d84deb62d53f4bd > protocols nested within HTTP CONNECT not properly detected when proxy adds > headers to 200 response > -- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.4 >Reporter: Eric Karasuda >Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, > output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: > Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it > instantiates a child analyzer and passes the rest of the server's response to > the child. In particular, this means the "Proxy-agent" header is treated as > the first data transmitted in the SSL handshake. As a result, protocol > detection fails. > The attached patch remembers that the HTTP 200 was received and only > instantiates the child analyzer when the newline is reached at the end of the > HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output > {{output-without-patch.tar.gz}} before applying the patch (note the absence > of ssl.log) and should output {{output-with-patch.tar.gz}} after applying > the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-1487: - Assignee: Robin Sommer > protocols nested within HTTP CONNECT not properly detected when proxy adds > headers to 200 response > -- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.4 >Reporter: Eric Karasuda >Assignee: Robin Sommer > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, > output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: > Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it > instantiates a child analyzer and passes the rest of the server's response to > the child. In particular, this means the "Proxy-agent" header is treated as > the first data transmitted in the SSL handshake. As a result, protocol > detection fails. > The attached patch remembers that the HTTP 200 was received and only > instantiates the child analyzer when the newline is reached at the end of the > HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output > {{output-without-patch.tar.gz}} before applying the patch (note the absence > of ssl.log) and should output {{output-with-patch.tar.gz}} after applying > the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-08-002#70107) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
[ https://bro-tracker.atlassian.net/browse/BIT-1487?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Johanna Amann updated BIT-1487: --- Status: Merge Request (was: Open) > protocols nested within HTTP CONNECT not properly detected when proxy adds > headers to 200 response > -- > > Key: BIT-1487 > URL: https://bro-tracker.atlassian.net/browse/BIT-1487 > Project: Bro Issue Tracker > Issue Type: Patch > Components: Bro >Affects Versions: 2.4 >Reporter: Eric Karasuda > Fix For: 2.5 > > Attachments: http-connect.patch, http-connect.pcap, > output-without-patch.tar.gz, output-with-patch.tar.gz > > > Failure scenario: > * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 > * the server responds HTTP 200 > * the proxy adds a header to the server's response (e.g. "Proxy-agent: > Apache/2.4.16 (Unix)" in the attached pcap). > * SSL handshake proceeds > * Bro fails to identify the SSL handshake > As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it > instantiates a child analyzer and passes the rest of the server's response to > the child. In particular, this means the "Proxy-agent" header is treated as > the first data transmitted in the SSL handshake. As a result, protocol > detection fails. > The attached patch remembers that the HTTP 200 was received and only > instantiates the child analyzer when the newline is reached at the end of the > HTTP message (e.g. after the "Proxy-agent" header). > Running {{bro -C -r http-connect.pcap}} with the attached pcap should output > {{output-without-patch.tar.gz}} before applying the patch (note the absence > of ssl.log) and should output {{output-with-patch.tar.gz}} after applying > the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-1487) protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response
Eric Karasuda created BIT-1487: -- Summary: protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response Key: BIT-1487 URL: https://bro-tracker.atlassian.net/browse/BIT-1487 Project: Bro Issue Tracker Issue Type: Patch Components: Bro Affects Versions: 2.4 Reporter: Eric Karasuda Attachments: http-connect.patch, http-connect.pcap, output-without-patch.tar.gz, output-with-patch.tar.gz Failure scenario: * a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443 * the server responds HTTP 200 * the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap). * SSL handshake proceeds * Bro fails to identify the SSL handshake As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails. The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header). Running {{bro -C -r http-connect.pcap}} with the attached pcap should output {{output-without-patch.tar.gz}} before applying the patch (note the absence of ssl.log) and should output {{output-with-patch.tar.gz}} after applying the patch. -- This message was sent by Atlassian JIRA (v7.0.0-OD-07-011#70107) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev