protocols nested within HTTP CONNECT not properly detected when proxy adds headers to 200 response

Description

Failure scenario:

  • a client makes a HTTP request to a proxy: CONNECT secure.newegg.com:443

  • the server responds HTTP 200

  • the proxy adds a header to the server's response (e.g. "Proxy-agent: Apache/2.4.16 (Unix)" in the attached pcap).

  • SSL handshake proceeds

  • Bro fails to identify the SSL handshake

As soon as Bro sees "HTTP/1.0 200 Connection Established\r\n", it instantiates a child analyzer and passes the rest of the server's response to the child. In particular, this means the "Proxy-agent" header is treated as the first data transmitted in the SSL handshake. As a result, protocol detection fails.

The attached patch remembers that the HTTP 200 was received and only instantiates the child analyzer when the newline is reached at the end of the HTTP message (e.g. after the "Proxy-agent" header).

Running bro -C -r http-connect.pcap with the attached pcap should output output-without-patch.tar.gz before applying the patch (note the absence of ssl.log) and should output output-with-patch.tar.gz after applying the patch.

Environment

None

Assignee

Robin Sommer

Reporter

Eric Karasuda

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Normal
Configure