I ran into a problem during an investigation where one of our analysts was unable to identify the network session in NetWitness, but had a packet from the IDS supporting a SQLi attempt.
Basically I was able to isolate the network session in NetWitness but IDS reported TCP src port as 57702, whereas I only found the HTTP request via TCP src port 57710. When I query NetWitness for 57702 I see an event where service = 80 && tcpflags = 'syn' && action !exists && result.code exists. I see the http RESPONSE only in the pcap from netwitness, not the full request/response I expect.
Example of the pcap in wireshark.
Has anyone seen this before?
If I run that query against all my packet flows I get millions of sessions.
service = 80 && tcpflags = 'syn' && action !exists && result.code exists
What is this traffic? I would expect that every HTTP session has a request/response and thus the HTTP method.
What am I missing? Is this potentially continuation traffic? Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?
There is no session.split metakey in this event. Examples below.
sessionid | = | 1009972394451 |
time | = | 2017-08-08T19:45:18.0 |
size | = | 1948 |
payload | = | 1480 |
medium | = | 1 |
eth.src | = | 00:1C:7F:63:49:37 |
eth.dst | = | 40:01:D7:D0:B4:90 |
eth.type | = | 2048 |
|
|
|
netname | = | "other src" |
netname | = | "other dst" |
ip.proto | = | 6 |
tcp.flags | = | 27 |
tcp.flags.seen | = | "fin syn psh ack" |
tcp.srcport | = | 57702 |
tcp.dstport | = | 443 |
service | = | 80 |
streams | = | 2 |
packets | = | 7 |
lifetime | = | 1 |
result.code | = | "404" |
error | = | "404 Not Found" |
content | = | "text/html" |
|
|
|
|
|
|
requestpayload | = | 0 |
responsepayload | = | 1480 |
analysis.session | = | "ratio low transmitted" |
analysis.session | = | "watchlist port" |
tcpflags | = | "fin" |
tcpflags | = | "syn" |
tcpflags | = | "psh" |
tcpflags | = | "ack" |
analysis.session | = | "session size 0-5k" |
country.src | = | "United States" |
city.src | = | "Clifton" |
latdec.src | = | 40.8326 |
longdec.src | = | -74.1307 |
country.dst | = | "United States" |
city.dst | = | "Minneapolis" |
latdec.dst | = | 44.8784 |
longdec.dst | = | -93.2793 |
org.src | = | "Digital Ocean" |
org.dst | = | "U.s. Bancorp" |
analysis.session | = | "not top 20 dst" |
domain.dst | = | "usbank.com" |
tld | = | "com" |
sld | = | "usbank" |
|
|
|
risk.info | = | "watchlist_ports" |
|
|
|
|
|
|
|
|
|
Obviously some data was sanitized/redacted but there is no session.split key in the meta list for that top session listed as 2KB in size.
I was under the impression that session.split is tagged to the first session that runs over the limits.
Session Start > Limit Reached > Tag session.split
If we have cut that session off and THEN we get the HTTP response code on the wire as part of the same TCP session, does NetWitness know that it is a fragment of the previous session? Does it reference the absolute TCP sequence numbers or how?
Thanks
NetWitness does track multiple sessions that are associated together.To reconstruct the file, select all the session 0 to ... and use Wireshark to extract the file that was transferred.
This is session split via List View download of an AV update from Comodo each of the session is 32MB and the last session closing the end of the file at 15MB.
This is another representation in a custom view in Events tab of the same traffic. See the left of the picture that list all the sessions starting at session 0.
Note: session.split is not indexed.
