[Bro] Bro Tor SSL suppression

Lou RUPPERT himself at louruppert.com
Thu Jul 11 14:04:09 PDT 2013


I run a few networks that have some combination of Tor users and Tor
servers. The SSL traffic is rather noisy, and on some networks I want to
know which users are using Tor for tunnel-tracking purposes. I took
jsiwek's example of Input Framework code and beat on it until it used a
list of Tor servers to suppress SSL warnings and track Tor clients. Here
it is:


A couple questions:

1. Is there a way to get a table loaded via the Input framework on a
cluster master to be visible by the cluster workers? You'd think
&synchronized would be the ticket to awesomeness, but all it did was
shame me.

2. Is there any nice sample code for hooking into the Software framework
and logging software? It would be fun to log Tor clients and servers in
the software log as well, or instead.

3. Is the tunnels log just a log of tunnels bro can bust open and feast
on the entrails of, or would it be appropriate to log opaque tunnels
like Tor or VPNs in there too?

I prefer encrypted email.  Get my key here:
PGP Fingerprint: 3261 B9F9 9363 D512 56F8  12DD 127F 4D6A 115D CF62

More information about the Bro mailing list