[Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing

Michal Purzynski (JIRA) jira at bro-tracker.atlassian.net
Wed Oct 14 02:40:00 PDT 2015


Michal Purzynski created BIT-1492:
-------------------------------------

             Summary: Analyzers fail to attach when SYN missing
                 Key: BIT-1492
                 URL: https://bro-tracker.atlassian.net/browse/BIT-1492
             Project: Bro Issue Tracker
          Issue Type: Problem
          Components: BinPAC, Bro
    Affects Versions: git/master, 2.4
            Reporter: Michal Purzynski
            Priority: High
         Attachments: https_no_syn.pcap, https.pcap

When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached.

1444814178.800000       C0xKJC4FTWyHP481Y3      198.18.7.165    54872   63.245.215.20   443     tcp     -   1.608599 811     4856    SF      -       -       0       hADadFRf        8       1131    9       5228    (empty)

I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP).

I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;)

tshark is happy to tell me there is SSL inside, so looks like there is a hope.

  1   0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443→54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
  2   0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=1 Ack=1 Win=53248 Len=0
  3   0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello
  4   0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0
  5   0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello
  6   0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU]
  7   0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0
  8   0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate
  9   0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
 10   0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
 11   0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data
 12   0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data
 13   0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0
 14   1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0
 15   1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert
 16   1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0
 17   1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0




--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-001#70107)



More information about the bro-dev mailing list