[Bro] wrong size computation
Christian Kreibich
christian at whoop.org
Sat Dec 10 18:16:24 PST 2005
On Sat, 2005-12-10 at 19:55 +0100, Vincenzo Falletta wrote:
> But if I turn on signature detection i.e. if I run
>
> $bro -r to-brolist_anonym.pcap mt brolite-sigs
>
> then I get AGAIN the same error... so what's up?
>
> Vince
It turns out that this comes down to the same thing -- in both cases
capture_filter sees a redef for tcp port 80. The problem can be stripped
down to just running
$bro -r to-brolist_anonym.pcap tcp
with or without an additional
redef capture_filters += { ["sig-http"] = "tcp port 80" };
The difference is that this redef causes Bro to see the second packet in
the trace (the pure ack), whereas leaving out the redef makes Bro only
use the capture filter given in tcp.bro, namely
tcp[13] & 7 != 0
which is TCP SYN/FIN/RSTs only:
$ tcpdump -nn -r ~/to-brolist_anonym.pcap "tcp[13] & 7 != 0"
reading from file /home/cpk25/to-brolist_anonym.pcap, link-type RAW (Raw IP)
23:22:53.698694 IP 10.0.0.10.49331 > 10.1.1.10.80: S 2810067555:2810067555(0) win 8192 <mss 1460,nop,wscale 0,nop,nop,timestamp 590446704 0>
23:22:54.757565 IP 10.0.0.10.49331 > 10.1.1.10.80: R 3696545253:3696545253(0) win 0
The difference in Bro's processing is that the presence of the ACK lets
it believe that it has actually seen the traffic (if I read TCP.cc
around 915 right).
It comes down to connection tracking semantics -- with a flow this
broken it's basically anyone's guess how big the connection was (without
counting real bytes, of course).
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list