[Bro-Dev] [JIRA] (BIT-1492) Analyzers fail to attach when SYN missing
Johanna Amann (JIRA)
jira at bro-tracker.atlassian.net
Mon Oct 19 14:01:00 PDT 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Johanna Amann updated BIT-1492:
-------------------------------
Fix Version/s: 2.5
> Analyzers fail to attach when SYN missing
> -----------------------------------------
>
> Key: BIT-1492
> URL: https://bro-tracker.atlassian.net/browse/BIT-1492
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: BinPAC, Bro
> Affects Versions: git/master, 2.4
> Reporter: Michal Purzynski
> Priority: High
> Fix For: 2.5
>
> Attachments: https_no_syn.pcap, https.pcap
>
>
> When the initial SYN packet is missing from the TCP connections, the conn.log gets creates but no analyzers are attached.
> 1444814178.800000 C0xKJC4FTWyHP481Y3 198.18.7.165 54872 63.245.215.20 443 tcp - 1.608599 811 4856 SF - - 0 hADadFRf 8 1131 9 5228 (empty)
> I've crafted the pcap to include a full session of wget https://mozilla.org and removed the initial SYN. SSL analyzer failed to attach. I can confirm the same behavior with other analyzers, too (tested HTTP).
> I kind of wonder, would we lose a lot if we relaxed the rules for the 3WH a little bit? Like, allow the analyzer to continue, because it kind of looks like TCP. Kind of ;)
> tshark is happy to tell me there is SSL inside, so looks like there is a hope.
> 1 0.000000 63.245.215.20 -> 198.18.7.165 TCP 66 443→54872 [SYN, ACK] Seq=0 Ack=1 Win=14600 Len=0 MSS=1460 SACK_PERM=1 WS=1024
> 2 0.000330 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=1 Ack=1 Win=53248 Len=0
> 3 0.001698 198.18.7.165 -> 63.245.215.20 SSL 575 Client Hello
> 4 0.194256 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [ACK] Seq=1 Ack=522 Win=16384 Len=0
> 5 0.197021 63.245.215.20 -> 198.18.7.165 TLSv1.2 1514 Server Hello
> 6 0.197361 63.245.215.20 -> 198.18.7.165 TCP 1514 [TCP segment of a reassembled PDU]
> 7 0.197538 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=522 Ack=2921 Win=53248 Len=0
> 8 0.197857 63.245.215.20 -> 198.18.7.165 TLSv1.2 1328 Certificate
> 9 0.205449 198.18.7.165 -> 63.245.215.20 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Hello Request, Hello Request
> 10 0.400301 63.245.215.20 -> 198.18.7.165 TLSv1.2 105 Change Cipher Spec, Encrypted Handshake Message
> 11 0.405533 198.18.7.165 -> 63.245.215.20 TLSv1.2 218 Application Data
> 12 0.598400 63.245.215.20 -> 198.18.7.165 TLSv1.2 634 Application Data
> 13 0.655022 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [ACK] Seq=812 Ack=4826 Win=53248 Len=0
> 14 1.413664 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [FIN, ACK] Seq=812 Ack=4826 Win=53248 Len=0
> 15 1.607910 63.245.215.20 -> 198.18.7.165 TLSv1.2 85 Encrypted Alert
> 16 1.608140 198.18.7.165 -> 63.245.215.20 TCP 54 54872→443 [RST, ACK] Seq=813 Ack=4857 Win=0 Len=0
> 17 1.608599 63.245.215.20 -> 198.18.7.165 TCP 54 443→54872 [FIN, ACK] Seq=4857 Ack=813 Win=17408 Len=0
--
This message was sent by Atlassian JIRA
(v7.0.0-OD-08-002#70107)
More information about the bro-dev
mailing list