I ran into a problem during an investigation where one of our analysts was unable to identify the network session in NetWitness, but had a packet from the IDS supporting a SQLi attempt.
Basically I was able to isolate the network session in NetWitness but IDS reported TCP src port as 57702, whereas I only found the HTTP request via TCP src port 57710. When I query NetWitness for 57702 I see an event where service = 80 && tcpflags = 'syn' && action !exists && result.code exists. I see the http RESPONSE only in the pcap from netwitness, not the full request/response I expect.
Example of the pcap in wireshark.
Has anyone seen this before?
If I run that query against all my packet flows I get millions of sessions.
service = 80 && tcpflags = 'syn' && action !exists && result.code exists
What is this traffic? I would expect that every HTTP session has a request/response and thus the HTTP method.
What am I missing? Is this potentially continuation traffic? Does NetWitness cut off the event after 60 sec/32MB and then if we see the response we mark it as a separate session?