[Bro] Fwd: Bro SSL analyzer

Matthias Vallentin vallentin at icir.org
Sun Mar 3 17:36:09 PST 2013

CC'ing the Bro mailing list for broader review.


---------- Forwarded message ----------
From: Ahir Reddy <ahirreddy at gmail.com>
Date: Sun, Mar 3, 2013 at 5:32 PM
Subject: Bro SSL analyzer
To: Matthias Vallentin <vallentin at icir.org>


I was wondering if you have some insight into the SSL analyzer. I'm
having some issues detecting SSL alerts (in this case they are
transmitted after a FIN packet is seen). I've been trying to make
changes to SSL.cc, but I can't figure out what effectively closes the
SSL analyzer. I have already subclassed the TCP analyzer to detect RST
packets that appear after FINs, and I've been trying to do something
similar for the SSL Analyzer.


More information about the Bro mailing list