From 39734255be72d52da2242cb1891d12970af59fbf Mon Sep 17 00:00:00 2001 From: Robin Sommer Date: Mon, 11 Jul 2016 17:06:03 -0700 Subject: [PATCH] Change TCP analysis to process connections without the initial SYN as non-partial connections. Before, if we saw a responder-side SYN/ACK, but had not seen the initial orginator-side SYN, Bro would treat the connection as partial, meaning that most application-layer analyzers would refuse to inspect the payload. That was unfortunate because all payload data was actually there (and even passed to the analyzers). This change make Bro consider these connections as complete, so that analyzers will just normally process them. The leads to couple more connections in the test-suite to now being analyzed. Addresses #1492. (I used an HTTP trace for debugging instead of the HTTPS trace from the ticket, as the clear-text makes it easier to track the data flow). --- src/analyzer/protocol/tcp/TCP.cc | 11 +++++++++++ testing/btest/Baseline/core.history-flip/conn.log | 6 +++--- testing/btest/Baseline/core.tcp.missing-syn/conn.log | 10 ++++++++++ testing/btest/core/tcp/missing-syn.bro | 2 ++ 4 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 testing/btest/Baseline/core.tcp.missing-syn/conn.log create mode 100644 testing/btest/core/tcp/missing-syn.bro diff --git a/src/analyzer/protocol/tcp/TCP.cc b/src/analyzer/protocol/tcp/TCP.cc index db9774cfd5..32b3790c59 100644 --- a/src/analyzer/protocol/tcp/TCP.cc +++ b/src/analyzer/protocol/tcp/TCP.cc @@ -761,6 +761,17 @@ void TCP_Analyzer::UpdateInactiveState(double t, // consider the ack as forming a partial // connection. ; + + else if ( flags.ACK() && peer->state == TCP_ENDPOINT_ESTABLISHED ) + { + // No SYN packet from originator but SYN/ACK from + // responder, and now a pure ACK. Problably means we + // just missed that initial SYN. Let's not treat it + // as partial and instead establish the connection. + endpoint->SetState(TCP_ENDPOINT_ESTABLISHED); + is_partial = 0; + } + else { endpoint->SetState(TCP_ENDPOINT_PARTIAL); diff --git a/testing/btest/Baseline/core.history-flip/conn.log b/testing/btest/Baseline/core.history-flip/conn.log index 5cf5aa4ba5..30564b074f 100644 --- a/testing/btest/Baseline/core.history-flip/conn.log +++ b/testing/btest/Baseline/core.history-flip/conn.log @@ -3,8 +3,8 @@ #empty_field (empty) #unset_field - #path conn -#open 2016-07-08-21-54-45 +#open 2016-07-12-00-18-19 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] -1128727435.633408 CXWv6p3arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp - 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) -#close 2016-07-08-21-54-45 +1128727435.633408 CXWv6p3arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) +#close 2016-07-12-00-18-19 diff --git a/testing/btest/Baseline/core.tcp.missing-syn/conn.log b/testing/btest/Baseline/core.tcp.missing-syn/conn.log new file mode 100644 index 0000000000..839243af43 --- /dev/null +++ b/testing/btest/Baseline/core.tcp.missing-syn/conn.log @@ -0,0 +1,10 @@ +#separator \x09 +#set_separator , +#empty_field (empty) +#unset_field - +#path conn +#open 2016-07-12-00-09-49 +#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents +#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string] +1128727435.633408 CXWv6p3arKYeMETxOg 141.42.64.125 56730 125.190.109.199 80 tcp http 1.550793 98 9417 SF - - 0 ^hADdFaf 11 670 10 9945 (empty) +#close 2016-07-12-00-09-49 diff --git a/testing/btest/core/tcp/missing-syn.bro b/testing/btest/core/tcp/missing-syn.bro new file mode 100644 index 0000000000..f34767eee8 --- /dev/null +++ b/testing/btest/core/tcp/missing-syn.bro @@ -0,0 +1,2 @@ +# @TEST-EXEC: bro -C -r $TRACES/tcp/missing-syn.pcap %INPUT +# @TEST-EXEC: btest-diff conn.log