5912 rfb skip v4 #9071
5912 rfb skip v4 #9071
Conversation
We only try to parse a small subset of what is possible in RFB. Currently we only understand some standard auth schemes and stop parsing when the server-client handshake is complete. Since in IPS mode returning an error from the parser causes drops that are likely uncalled for, we do not want to return errors when we simply do not understand what happens in the traffic. This addresses Redmine OISF#5912.
There was a problem hiding this comment.
Thanks Sascha.
CI : green
Code : a few questions
Commits segmentation : ok for me
Commit messages : ok for me. @satta the ticket number should be on its own line as Ticket: #5912 cf git log | grep '#'
Git ID set : ok
CLA : ok
Doc update : none needed
Redmine ticket : ok
Rustfmt : ok
Tests : I wonder if the IPS app-layer.error-policy: drop-flow should be tested somehow
Dependencies added: none
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## master #9071 +/- ##
==========================================
- Coverage 82.35% 82.26% -0.09%
==========================================
Files 969 969
Lines 273655 273721 +66
==========================================
- Hits 225359 225173 -186
- Misses 48296 48548 +252
Flags with carried forward coverage won't be shown. Click here to find out more. |
Will keep this in mind for next time. |
Patched this up in staging. |
|
[...]
Thanks! |
|
It gives more RFB flow and transactions, and fewer errors. W/o looking at the (private) traffic, does this seem plausible based on the changes? See #9083 (comment) |
|
I would say so. The point of this change was to reduce the amount of app-layer errors when technically there is no error but we just don't implement all of RFB's variety in the field. |
Thanks Sascha! |
|
Merged in #9083, thanks! |
|
For information @satta the rfb error comes from a real RFB conversation, but the TCP client first sends |
|
More important @satta, every time you Otherwise, the transaction does not get logged... |
|
And it looks like the client can send its version first, which is not handled bu the current state machine |
I can't see any indication of this being valid in the protocol [1][2] -- the server always advertises its version first AFAICS. Could we be seeing one-sided traffic or something like that there? [1] https://github.com/rfbproto/rfbproto/blob/master/rfbproto.rst#handshaking-messages |
No idea what this could be. Can you share a pcap? |
I guess we can still log whatever data we have so far then, right. I'll add that. |
|
These pcaps cannot be shared unfortunately
Both sides, TCP client first, then TCP server sends the RFB version |
Where do you see this? The specs I linked in my previous message above as well as the pcaps I have recorded from my own traffic state that the server that is contacted via TCP sends its version to the connecting client first to make it possible for the client to check if a common protocol version can be found: |
|
I see this in private pcaps :-/ Is it a mismatch between TCP server and RFB server ? |
Don't think so. All the pcaps I've seen agree with the spec. Could it be that the pcap you're seeing this in might have a collection artifact of some sort? Can you confirm the session is valid? Can Wireshark dissect the communication correctly? |
|
Wireshark dissects correctly but says |
Previous PR: #9064
Link to redmine ticket: #5912
Describe changes to previous PR: