I ran into a problem during an investigation where one of our analysts was unable to identify the network session in NetWitness, but had a packet from the IDS supporting a SQLi attempt.
Basically I was able to isolate the network session in NetWitness but IDS reported TCP src port as 57702, whereas I only found the HTTP request via TCP src port 57710. When I query NetWitness for 57702 I see an event where service = 80 && tcpflags = 'syn' && action !exists && result.code exists. I see the http RESPONSE only in the pcap from netwitness, not the full request/response I expect.
Example of the pcap in wireshark.
Has anyone seen this before?
If I run that query against all my packet flows I get millions of sessions.
service = 80 && tcpflags = 'syn' && action !exists && result.code exists
What is this traffic? I would expect that every HTTP session has a request/response and thus the HTTP method.
What am I missing? Is this potentially continuation traffic? Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?
Hi Kevin,
Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?
Yes that seems to be the case, that is the time the event stays in memory and part the same session after that it will be like another session, you can increase that value in a special cases but you will have some performance impact.
I hope that answered your questions.
Thanks,
Sergio