[Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing
Michal Purzynski (JIRA)
jira at bro-tracker.atlassian.net
Wed Oct 14 02:40:00 PDT 2015
Michal Purzynski created BIT-1492:
-------------------------------------
Summary: Analyzers fail to attach when SYN missing
Key: BIT-1492
URL: https://bro-tracker.atlassian.net/browse/BIT-1492
Project: Bro Issue Tracker
Issue Type: Problem
Components: BinPAC, Bro
Affects Versions: git/master, 2.4
Reporter: Michal Purzynski
Priority: High
Attachments: https_no_syn.pcap, https.pcap
When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached.
1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty)
I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP).
I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;)
tshark is happy to tell me there is SSL inside, so looks like there is a hope.
1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443→54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=1 Ack=1 Win=53248 Len=0
3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello
4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0
5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello
6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU]
7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0
8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate
9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data
12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data
13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0
14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0
15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert
16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0
17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-001#70107)
More information about the bro-dev
mailing list