[Bro] HTTPS Analyzer

Johanna Amann johanna at icir.org
Fri Jun 5 15:46:47 PDT 2015


> In a nutshell, we are trying to write an HTTPS analyzer for on the fly
> decryption of the SSL stream and then feed it to the built in HTTP
> Analyzer. We will use a crypto library + server keys to achieve the
> decryption. Is it possible at all do this in Bro?

Sure, in theory it is possible to do that. You would have to extend the
current SSL analyzer and start decrypting the packets at the right point
of time. You should not even have to implement an HTTPS analyzer; you
basically can just shove the decrypted data back into the Bro processing

The best example for this happening might potentially be one of the tunnel
analyzers -- SMTP also does it by attaching SSL as a sub-analyzer in case
STARTTLS is used.

The biggest problem will probably be to get the SSL analyzer changed to
decrypt the data. You also will have to get your encryption keys into Bro
somehow before the first encrypted data packet is parsed by the SSL


More information about the Bro mailing list