question regarding session creation

scott campbell scampbell at
Fri Sep 26 16:31:30 PDT 2003

Hash: SHA1

Thanks for the quick reply.

The problem that I have with using SSL_Interpretor* is that it's creator
relies on the SSL_Connection_Proxy which is the same sort of function
that I can't seem to get working.  The *version* of SSL is not
pre-determined, but the connection type is already been assigned. :(

I would do some sort of dreadful hack to get this working (ie create a
new blank creator or something of the sort), but the the
SSL_Connection_Proxy proxy value is used thought the remaining SSL and
X509 code and everything would just break horribly.

This sort of problem may be insolvable with the current design of bro,
at least as far as I understand.  I will probably create a new generic
GSI class that just answers questions regarding data handed to it
(example X509 certs and the like) for the time being (since the
necessity for dealing with many of the complexitys of 'real' SSL
connections are not present).  It will not be at all interested in
connection data, so there will not be problems assosciated with it of
this nature.

If you (or anybody else) get other ideas, or see something that I missed
please let me know as the solution I am following is less than ideal...

Robin Sommer wrote:
| On Fri, Sep 26, 2003 at 10:50 -0700, Scott Campbell wrote:
|>I would like to be able to create a new connection object to analyze the
|>authentication handshake from within the gsiftp analyzer, but have so
| If I understand your description correctly, you would like to decode
| an independent SSL session inside the gsiftp connection object,
| right? So, basically you need the protocol decoding functionality
| for SSL, but without the surrounding connection state management.
| I am not really familiar with the internals of the upcoming SSL
| analyzer, but as far as I know it implements exactly this separation
| (because it cannot decide whether it sees an SSL v2 or v3 connection
| before having parsed some data). Take a look at the classes
| SSL_Interpreter and SSL_InterpreterEndpoint (I think you already
| have the code, right? If not, contact me again or, even better, ask
| Michael and Benedikt about this (cc'ed; are you guys on the Bro
| list?))
| More generally, the separation of connections and protocol analyzers
| could make sense for other applications, too. For example, there are
| cases in which we cannot deduce the service from the ports that are
| used. Or, we may want to switch the analyzer after some data has
| already been read (again, SSL is a nice example: After having
| analyzed the handshake of an HTTPS session, we could pass the data
| on to the HTTP analyzer) But this would be a major change in Bro's
| structure...
| Robin

Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


More information about the Bro mailing list