Hi,

On Tue, Feb 13, 2018 at 09:15:21AM +0100, Bencteux Jeffrey wrote:
> A solution could be to blacklist such connections, i-e if there is data
> sent by the client, then do not log:
> >         if (! is_orig && seq == 1 && c$orig$num_pkts == 2 && c$orig$size == 
> > 0)
> 
> Another thing that comes to me is what if you miss the SYN or the
> SYN-ACK segment sent by your client? You will not log the banner so I am
> not sure about the second condition : c$orig$num_pkts == 2. I would
> remove it.

Thanks! Indeed, changing `c$orig$num_pkts == 2` to `c$orig$size == 0`
is a good move, I wish I had this idea!

> With the pcap generated with the scapy script you gave, I do not log
> anymore, however if I change it to this:
> 
> wrpcap("test.cap", [
>     Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
>     TCP(dport=80, sport=5678, flags="S", ack=0, seq=555678),
>     Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
>     TCP(sport=80, dport=5678, flags="SA", seq=111234, ack=555679),
>     Ether() / IP(dst="1.2.3.4", src="5.6.7.8") /
>     TCP(dport=80, sport=5678, flags="A", ack=111235, seq=555679),
>     # Ether() / IP(dst="1.2.3.4", src="5.6.7.8") / no more data sent by the 
> client
>     # TCP(dport=80, sport=5678, flags="PA", ack=111235, seq=555679) / "DATA",
>     Ether() / IP(src="1.2.3.4", dst="5.6.7.8") /
>     TCP(sport=80, dport=5678, flags="PA", seq=111235, ack=555679) / "DATA"
> ])
> 
> I do have an entry in the log.
> 
> > Also, when `seq` equals 1, am I certain that I have not missed any
> > packet from the server?
> 
> No idea about that, I think the answer is in Bro's TCP implementation in
> src/analyzer/protocol/tcp somewhere.

I think, as suggested by Seth Hall, that I would have to write my own
analyzer for that.

Thanks a lot,

Pierre

-- 
Pierre
http://pierre.droids-corp.org/
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to