search

haka-security / haka

Haka runtime
http://haka-security.org
Mozilla Public License 2.0
445 stars 65 forks source link

error tcp: invalid tcp establishement handshake #26

Open blotgg opened 9 years ago

blotgg commented 9 years ago

If I use module = "packet/nfqueue" and use local http = require('protocol/http')

I have error when connect to HTTP servers: error tcp: invalid tcp establishement handshake And I can't open web page.

If I delete string local http = require('protocol/http') I don't have this error and I can open web page.

Configuration daemon.conf:

[general]
configuration = "tcpfilter.lua"
pass-through = no

[packet]
module = "packet/nfqueue"

interfaces = "eth2"

[log]
module = "log/syslog"

Configuration tcpfilter.lua:

require('protocol/ipv4')
local tcp = require('protocol/tcp')
local http = require('protocol/http')

-- Allow only packets to/from port 80
haka.rule{
        hook = tcp.events.receive_packet,
        eval = function (pkt)
                -- The next line will generate a lua error:
                -- there is no 'destport' field. Replace 'destport' by 'dstport'
                if pkt.dstport == 80 or pkt.srcport == 80 then
                        haka.log("Authorizing trafic on port 80")
                else
                        haka.log("Trafic not authorized on port %d", pkt.dstport)
                        pkt:drop()
                end
        end
}
mtalbi commented 9 years ago

Hi blotgg,

I ran your script with your configuration file and it worked fine. Could you provide us with a pcap that triggers this error ? You can add the following to your daemon.conf to save input and output trafic into pcap files :

dump = yes dump_input = "/tmp/input.pcap" dump_output = "/tmp/output.pcap"

blotgg commented 9 years ago

Hi mtalbi, I captured trafic and recorded haka's logs. https://goo.gl/fEgTUJ Perhaps reason of error because I'm using NAT?

Alerts from log file:

alert: id = 46
        time = Fri Jun 26 16:59:23 2015
        severity = low
        description = no connection found for tcp packet
        sources = {
                address: 192.168.0.2
                service: tcp/50195
        }
        targets = {
                address: 178.154.131.215
                service: tcp/80
        }
mtalbi commented 9 years ago

Hi,

Sorry for the delay,

Can you run again the script with a single thread (thread=1 in daemon.conf) and check if the problem is still there.

blotgg commented 9 years ago

Hello,

Unfortunately the problem is not resolved( I saved again trafic with thread=1 https://drive.google.com/file/d/0B6-p-Th9K4U9dzBDUlZXeXVSRGc/view?usp=sharing

Maybe the problem is in the network configuration?

mtalbi commented 9 years ago

Ok. It seems that Haka is captirung only upcoming packets. Incoming packets arrives through another interface.

Try to capture packets on all interfaces (i.e. interfaces = "any" in daemon.conf). This will fix the problem.

blotgg commented 9 years ago 
...
info  nfqueue: installing iptables rules for device(s) any
error nfqueue: 'any' is not a valid network interface
...

Haka supports "any" interfaces ?

mtalbi commented 9 years ago

Ah... "any" keywork works only with pcap packet capture module. Select instead your list of interfaces as following. This will instruct Haka to capture packets on interfaces eth0, eth1 and eth2:

interfaces = "eth0, eth1, eth2"