[Bro-Dev] Logging TCP server banners

Seth Hall seth at corelight.com
Mon Feb 12 14:18:05 PST 2018 

This fits with a feature that I've been talking to several people about 
for quite a while which would make a bit of the beginning of each 
direction of a connection available in script-land.  That would help 
with your problem a bit, but it sounds like since there is a particular 
packet that you want, you may want to write your own analyzer that gets 
the exact data that you are looking for because you should be able to do 
packet level stuff easily there.

   .Seth

On 12 Feb 2018, at 15:19, Pierre LALET wrote:

> Hi everyone,
>
> [This mail has been sent to bro@ first, but I think I might have more
> luck (and answers) here. Sorry for the inconvenience to those who have
> already read it.]
>
> For a network recon framework I am working on (https://ivre.rocks/ --
> for those interested), I would like to log each "TCP server banner"
> Bro sees.
>
> I call "TCP server banner" the first chunk of data a server sends,
> before the client has sent data (if the client sends data before the
> server, I don't want to log anything).
>
> Here is what I have done so far (`PassiveRecon` is my module's name):
>
> ```
> export {
>         redef tcp_content_deliver_all_resp = T;
>
>         [...]
> }
>
> [...]
>
> event tcp_contents(c: connection, is_orig: bool, seq: count, contents: 
> string)
>         {
>         if (! is_orig && seq == 1 && c$orig$num_pkts == 2)
>                 {
>                 Log::write(PassiveRecon::LOG, [$ts=c$start_time,
>                                                $host=c$id$resp_h,
>                                                $srvport=c$id$resp_p,
>                                                $recon_type=TCP_SERVER_BANNER,
>                                                $value=contents]);
>                 }
>         }
> ```
>
> Basically, I consider we have a "TCP server banner" when `is_orig` is
> false, when `seq` equals 1 and when we have seen exactly two packets
> from the client (which should be a SYN and the first ACK).
>
> This solution generally works **but** I sometimes log a data chunk
> when I should not, particularly if I have missed part of the
> traffic.
>
> As an example, the following Scapy script creates a PCAP file that
> would trick my script into logging a "TCP server banner" while the
> client has actually sent some data (and we have missed an ACK packet,
> left as a comment in the script):
>
> ```
> wrpcap("test.cap", [
>     Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
>     TCP(dport=80, sport=5678, flags="S", ack=0, seq=555678),
>     Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
>     TCP(sport=80, dport=5678, flags="SA", seq=111234, ack=555679),
>     # Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
>     # TCP(dport=80, sport=5678, flags="A", ack=111235, seq=555679),
>     Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
>     TCP(dport=80, sport=5678, flags="PA", ack=111235, seq=555679) / 
> "DATA",
>     Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
>     TCP(sport=80, dport=5678, flags="PA", seq=111235, ack=555683) / 
> "DATA"
> ])
> ```
>
> Is there a way to know that I have not missed any packet from the
> client and/or a way to know that the client has not sent any data on
> the connection (like an equivalent of the `seq` parameter, but for the
> `ack`)?
>
> Also, when `seq` equals 1, am I certain that I have not missed any
> packet from the server?
>
> One more question: is there a better, cleaner, etc. way to do what I'm
> trying to do?
>
> Thanks a lot,
>
> Pierre
>
> -- 
> Pierre
> http://pierre.droids-corp.org/
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

--
Seth Hall * Corelight, Inc * www.corelight.com

More information about the bro-dev mailing list