First of all, tomorrow is thanksgiving and I would like to thank all of you for all the feedback I’ve always received to my posts.
I continue with my research on anomalies, now focus on evasion techniques, and I need to ask you some help to understand how BRO deals with fragmentation and TCP overlapping issues. For reference, I am using Bro 1.5.1 in offline analysis.
- Although I am loading “frag”, I am not receiving any event related with fragmentation.
What could be wrong? libpcap library? my BRO version?
What are the possible events triggered by weird analyzer related with tcp overlapping? (because I am not getting any of them although I think I should see them on my trace)
TCP overlapping problems may generate “partial_ftp_request”, “partial_RPC_request” or other partial events? and also confuse BRO on how the connection should be flagged? For example a connection with flag “S0”, no reply seen could be related with TCP overlapping problems?
How does BRO perform TCP reassembly? I mean, is the traffic on ALL ports reassembled? Is there any way to apply a default policy for doing TCP reassembly? Like Policy First or Last or Unix…
There is an “active mapping” function to improve TCP reassembly. Can we define the host profile database without this active function?
Can we configure the size of the reassembly buffer? I read in historical msg (from 2006) there wasn’t such config and BRO presented a vulnerability against an adversary trying to exhaust memory, is this a current possibility?
By doing offline analysis, I understood that BRO will analyze all the packets without loss even if the CPU is running at 100%. Still, I need information about dropping packets for other reasons. For example, if BRO encounters TCP overlapping, Does it drop all the packets? Choose some of them? Are these actions log somewhere? The same with fragmentations issues. Where can I check the portion of fragments that where reassembled? how many frames discarded, etc?
I am not seeing any difference in bro logs when I analyze 2 pcap files. One file contains some malformed packet at the end and wireshark says “the packet is bigger than 65535”, the other pcap file is the same file but truncated using editcap to avoid this “malformed packet” (if I check the hex using hd, the part truncated represents 850MB ). All the logs of BRO when input is one file or the other are identical. Is this the expected result?
Nakao Lab. Network System Research Group
University of Tokyo