HTTP response not detected on nonstandard port

Description

Using the attached bro script I've tweaked the HTTP signature to match on http responses without the corresponding HTTP request TCP session. I know in a proper setup you should never get single sided traffic, but certainly when using bro as a tool you have to deal with it sometimes.

Bro handles this fine when the HTTP is on port 80, but not when on port 4321 (see attached PCAPs). I'm curious as to why?

Environment

CentOS 6

Activity

Show:
Jon Siwek
October 3, 2014, 4:41 PM

Is it possible for bro to infer the packets belong to a responder, because the connection started with a SYN+ACK rather than just a SYN? Or is that a major change for an edge case, although not unheard of on SPAN ports?

It is possible to do that: you can take a look at which mentions a branch that implements that change, but it isn't 100% accurate (check out the github pull request comments also linked in that ticket). Haven't yet revisited to see if something more can be done and not sure right now how deep the changes would be to improve it.

Jimmy Jones
October 3, 2014, 3:26 PM

Is it possible for bro to infer the packets belong to a responder, because the connection started with a SYN+ACK rather than just a SYN? Or is that a major change for an edge case, although not unheard of on SPAN ports?

Jon Siwek
September 29, 2014, 4:36 PM

The difference here is in likely_server_ports.

Because 80/tcp is in the likely_server_ports set, Bro correctly infers the packets belong to the responder, then your signature matches.

Because 4321/tcp isn't in the set, Bro thinks the packets are from the originator, then the signature doesn't match because it requires checking against the responder's payload. And if you did force the signature to match by taking away the "is responder" condition, the HTTP analyzer would still ignore the content because it looks like data coming from the originator without having fully set up a TCP connection – that's generally a situation where the current HTTP analyzer doesn't deal well.

Duplicate

Assignee

Unassigned

Reporter

Jimmy Jones

Labels

None

External issue ID

None

Components

Affects versions

Priority

Normal