[Bro] Bro behind a TLS reverse proxy

Brandon Sterne brandon.sterne at gmail.com
Tue Apr 10 14:14:29 PDT 2018 

Hi Philip,

What sequence of commands are you using to test? On all C7 instances I have
tested, virtual and bare metal, when capturing of the lo interface with
tcpdump, and analyzing the pcaps with tshark, I'm seeing 100% of SYN, ACK
packets as having the bogus timestamp.

Are you confident using tcpdump to both capture and replay the packets to
look at field values? Isn't it possible that tcpdump is writing to and
reading from the pcap in the same incorrect way?

Thanks,
Brandon


On Tue, Apr 10, 2018 at 11:28 AM, Philip Romero <promero at cenic.org> wrote:

> Brandon,
>
> The systems I tested are on are listed below. I also asked my Systems team
> to run the test on a datacenter hypervisor CentOS 7 server. Looks like they
> got a "normal" response as well.
>
> Physical Server (Old IBM System x3650 server):
> $ sudo uname -a
> Linux <*hostname*> 3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12 22:26:13
> UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
> $
>
> VirtualBox (5.2.8 r121009) VM (MacBook Pro Retina 15-inch, Mid 2015):
> $ sudo uname -a
> Linux <*hostname*> 3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7 19:03:37
> UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> $
>
> VM test from Overt 4.1 hypervisor:
> kernel - 3.10.0-693.5.2.el7.x86_64
> 2018-04-10 11:14:11.996559 IP6 ::1.57652 > ::1.80: Flags [S], seq
> 579221221, win 43690, options [mss 65476,sackOK,TS val 1190091725 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 11:14:11.996579 IP6 ::1.80 > ::1.57652: Flags [R.], seq 0, ack
> 579221222, win 0, length 0
> 2018-04-10 11:14:11.996699 IP 127.0.0.1.43500 > 127.0.0.1.80: Flags [S],
> seq 2884971053, win 43690, options [mss 65495,sackOK,TS val 1190091725 ecr
> 0,nop,wscale 7], length 0
> 2018-04-10 11:14:11.996715 IP 127.0.0.1.80 > 127.0.0.1.43500: Flags [R.],
> seq 0, ack 2884971054, win 0, length 0
>
> --
> Philip Romero, CISSP, CISA
> Sr. Information Security Analyst
> CENICpromero at cenic.org
> Phone: (714) 220-3430
> Mobile: (562) 237-9290
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/43a5de2b/attachment.html

More information about the Bro mailing list