Comments (6)
Hello! Just to make sure that I understand your problem correctly, you are saying that the TLS messages are being segmented into multiple smaller packets. This is resulting in cases where the TLS message headers have a length greater than the actual packet size (i.e. 3000 > 1500), and this is causing the sanity check at tls.c:1787 to fail.
from joy.
Exactly. It happens when there are multiple messages inside one TLS handshake record - the length of the handshake records is the sum of the lengths of messages, like server hello and certificates. Admittedly, it might be a rare case - I found this behavior in a pcap containing Noris botnet traffic
from joy.
Thanks for looking at this in detail. I've also come to the same conclusions upon inspection in GDB. I think ultimately the solution will be to keep track of the segmentation state of the messages in order to piece the whole TLS message together when it is spread over multiple packets. Implementing the segmentation state tracking for TLS is on our work board, we hope to have that completed sometime in the near future :)
Is this something that you are interested in to implement? It sounds like you know your way around the code, and it would be great to have your help in getting this done sooner!
from joy.
I made an attempt at fixing this. Please take a look at this branch to see if it helps:
https://github.com/cisco/joy/tree/tls-continuity
from joy.
The ServerHello message is now parsed, but the certificate part is not. I think the problem is not looking at the lengths of the messages and not handling 3-packet-long messages correctly. Maybe a Wireshark screenshot will help better explain what I have in mind. Here, the r->segmented becomes something over 3000 in the first packet and then it makes a mess when parsing the second packet (start points somewhere beyond the end of the packet, rem_len underflows).
This might require a more thorough revision of the code... on the other hand, the very fact that the messages are constructed in this way may be a good indicator that something is amiss. (this is botnet traffic)
from joy.
I added a new commit to address multiple handshake messages when looking for the certificates. Could you verify that solves the cert problem? I think we still need to add a logic clause within the r->segmented block (right before line 1772) to check if the segmentation amount is greater than the packet size. Something like:
if (r->segmented >= rem_len) { r->segmented -= rem_len; return; }
Could you see if making that modification works with your PCAP? Also could you please send that PCAP to me via [email protected]
from joy.
Related Issues (20)
- Using sleuth to calculate distribution of each individual offered cipher suite type HOT 2
- Incorrect TLS handshake types and TLS content types when generating TLS session metadata
- compilation error on macOS v 10.12.6
- The return value of 'sscanf()' should be checked
- Build failed with VS2019 on win10 HOT 4
- no VLAN support for data link type 12
- make error HOT 1
- Build Error while enable output compress HOT 1
- compile failed
- Number of packets is incorrect HOT 1
- A description of the parameters in joy's tool HOT 1
- Question with “one or more interfaces“
- 'type=1' option does not work
- How to use the FEATURE OPTIONS "payload=N (number)"?
- `sudo ./install_joy/install-sh -p /opt/app/joy` error
- Bytes in/out not correct
- is it prossible to use JOY to analysis malware network traffic online?
- Mac输出乱码
- some problem about sleuth
- some problem about sleuth
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from joy.