[Bro-Dev] Logging TCP server banners
Bencteux Jeffrey
jeffrey.bencteux at ssi.gouv.fr
Tue Feb 13 00:15:21 PST 2018
> I call "TCP server banner" the first chunk of data a server sends,
> before the client has sent data (if the client sends data before the
> server, I don't want to log anything).
A solution could be to blacklist such connections, i-e if there is data
sent by the client, then do not log:
> if (! is_orig && seq == 1 && c$orig$num_pkts == 2 && c$orig$size == 0)
Another thing that comes to me is what if you miss the SYN or the
SYN-ACK segment sent by your client? You will not log the banner so I am
not sure about the second condition : c$orig$num_pkts == 2. I would
remove it.
With the pcap generated with the scapy script you gave, I do not log
anymore, however if I change it to this:
wrpcap("test.cap", [
Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
TCP(dport=80, sport=5678, flags="S", ack=0, seq=555678),
Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
TCP(sport=80, dport=5678, flags="SA", seq=111234, ack=555679),
Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
TCP(dport=80, sport=5678, flags="A", ack=111235, seq=555679),
# Ether() / IP(dst="1.2.3.4", src="5.6.7.8") / no more data sent by the client
# TCP(dport=80, sport=5678, flags="PA", ack=111235, seq=555679) / "DATA",
Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
TCP(sport=80, dport=5678, flags="PA", seq=111235, ack=555679) / "DATA"
])
I do have an entry in the log.
> Also, when `seq` equals 1, am I certain that I have not missed any
> packet from the server?
No idea about that, I think the answer is in Bro's TCP implementation in
src/analyzer/protocol/tcp somewhere.
Regards,
More information about the bro-dev
mailing list