[Bro] Bro behind a TLS reverse proxy

Philip Romero promero at cenic.org
Tue Apr 10 15:33:49 PDT 2018 

Brandon,

Success...? Both my VirtualBox VM and physical server show the wrong
date/time on the SYN/ACK using the updated testing script you sent. This
was just a confirmation for what you had already confirmed as a
reproducible issue though. I don't have any next steps suggestions, sorry. 

$ tshark -t ud -r lo-port-80.pcap
  1 2018-04-10 22:07:21          ::1 -> ::1          TCP 94 60782 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65476 SACK_PERM=1 TSval=4294828850
TSecr=0 WS=128
  2 2018-04-10 22:07:21          ::1 -> ::1          TCP 74 http > 60782
[RST, ACK] Seq=1 Ack=1 Win=0 Len=0
  3 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 74 39762 > http
[SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=4294828850
TSecr=0 WS=128
  4 2106-01-31 09:17:55    127.0.0.1 -> 127.0.0.1    TCP 74 http > 39762
[SYN, ACK] Seq=0 Ack=1 Win=43690 Len=0 MSS=65495 SACK_PERM=1
TSval=4294828850 TSecr=4294828850 WS=128
  5 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=1 Ack=1 Win=43776 Len=0 TSval=4294828850 TSecr=4294828850
  6 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    HTTP 139 GET /
HTTP/1.1
  7 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 http > 39762
[ACK] Seq=1 Ack=74 Win=43776 Len=0 TSval=4294828851 TSecr=4294828851
  8 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 83 [TCP segment
of a reassembled PDU]
  9 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=74 Ack=18 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
 10 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP
segment of a reassembled PDU]
 11 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=74 Ack=55 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
 12 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 103 [TCP
segment of a reassembled PDU]
 13 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=74 Ack=92 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
 14 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 129 [TCP
segment of a reassembled PDU]
 15 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=74 Ack=155 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
 16 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    HTTP 838 HTTP/1.0
200 OK  (text/html)
 17 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[ACK] Seq=74 Ack=927 Win=45312 Len=0 TSval=4294828856 TSecr=4294828856
 18 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 http > 39762
[FIN, ACK] Seq=927 Ack=74 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
 19 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 39762 > http
[FIN, ACK] Seq=74 Ack=928 Win=45312 Len=0 TSval=4294828856 TSecr=4294828856
 20 2018-04-10 22:07:21    127.0.0.1 -> 127.0.0.1    TCP 66 http > 39762
[ACK] Seq=928 Ack=75 Win=43776 Len=0 TSval=4294828856 TSecr=4294828856
$

$ tcpdump -ttttnnr lo-port-80.pcap
reading from file lo-port-80.pcap, link-type EN10MB (Ethernet)
2018-04-10 15:28:49.065635 IP6 ::1.49766 > ::1.80: Flags [S], seq
2880441537, win 43690, options [mss 65476,sackOK,TS val 1116497470 ecr
0,nop,wscale 7], length 0
2018-04-10 15:28:49.065668 IP6 ::1.80 > ::1.49766: Flags [R.], seq 0,
ack 2880441538, win 0, length 0
2018-04-10 15:28:49.065840 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [S],
seq 3964604917, win 43690, options [mss 65495,sackOK,TS val 1116497470
ecr 0,nop,wscale 7], length 0
1985-11-08 19:53:43.822714 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[S.], seq 3727387360, ack 3964604918, win 43690, options [mss
65495,sackOK,TS val 1116497470 ecr 1116497470,nop,wscale 7], length 0
2018-04-10 15:28:49.065886 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 1, win 342, options [nop,nop,TS val 1116497470 ecr 1116497470], length 0
2018-04-10 15:28:49.065973 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags
[P.], seq 1:74, ack 1, win 342, options [nop,nop,TS val 1116497471 ecr
1116497470], length 73: HTTP: GET / HTTP/1.1
2018-04-10 15:28:49.065987 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags [.],
ack 74, win 342, options [nop,nop,TS val 1116497471 ecr 1116497471],
length 0
2018-04-10 15:28:49.176734 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 1:18, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497471], length 17: HTTP: HTTP/1.0 200 OK
2018-04-10 15:28:49.176760 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 18, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176813 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 18:55, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497581], length 37: HTTP
2018-04-10 15:28:49.176831 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 55, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176886 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 55:92, ack 74, win 342, options [nop,nop,TS val 1116497581 ecr
1116497581], length 37: HTTP
2018-04-10 15:28:49.176900 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 92, win 342, options [nop,nop,TS val 1116497581 ecr 1116497581],
length 0
2018-04-10 15:28:49.176951 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 92:132, ack 74, win 342, options [nop,nop,TS val 1116497581
ecr 1116497581], length 40: HTTP
2018-04-10 15:28:49.176966 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 132, win 342, options [nop,nop,TS val 1116497582 ecr 1116497581],
length 0
2018-04-10 15:28:49.177003 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 132:154, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 22: HTTP
2018-04-10 15:28:49.177016 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 154, win 342, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177051 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 154:156, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 2: HTTP
2018-04-10 15:28:49.177064 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 156, win 342, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177124 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[P.], seq 156:5992, ack 74, win 342, options [nop,nop,TS val 1116497582
ecr 1116497582], length 5836: HTTP
2018-04-10 15:28:49.177142 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags [.],
ack 5992, win 1365, options [nop,nop,TS val 1116497582 ecr 1116497582],
length 0
2018-04-10 15:28:49.177212 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags
[F.], seq 5992, ack 74, win 342, options [nop,nop,TS val 1116497582 ecr
1116497582], length 0
2018-04-10 15:28:49.178159 IP 127.0.0.1.44468 > 127.0.0.1.80: Flags
[F.], seq 74, ack 5993, win 1365, options [nop,nop,TS val 1116497583 ecr
1116497582], length 0
2018-04-10 15:28:49.178176 IP 127.0.0.1.80 > 127.0.0.1.44468: Flags [.],
ack 75, win 342, options [nop,nop,TS val 1116497583 ecr 1116497583],
length 0
$


On 4/10/18 2:52 PM, Brandon Sterne wrote:
> sudo python -m SimpleHTTPServer 80

-- 
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180410/34d86983/attachment.html

More information about the Bro mailing list