[Bro] Subclassing from SSL Analyzer

Seth Hall seth at icir.org
Wed Jun 17 21:12:16 PDT 2015

> On Jun 17, 2015, at 1:38 PM, N B <nb.nospam at gmail.com> wrote:
> An option I was thinking of was to directly change the SSL analyzer's code and not subclass at all. But that would mean I will have to keep patching it forward as we get newer Bro releases.

I don’t believe you want to subclass the analyzer.  The right way is to poke the right decryption into the right place in the analyzer.  It’s remarkably easy if you understand Binpac well.  We wouldn’t intrinsically have any issues with merging SSL decryption into Bro either if it’s done well, there is no reason for you to maintain a patch set moving forward.  If it was brought into Bro we would need tests too so that even for us to maintain it, it shouldn’t be overly onerous.

I guess I’ll go ahead and admit it now... I have some changes to the SSL analyzer that I haven’t pushed out anywhere that poke into the right places in the analyzer to decrypt traffic.  What I’ve gotten stuck on (due to lack of time and inexperience) is doing the actual decryption.  If there is someone out there that has done this before I’d be interested in talking and possibly working together on it.  We can certainly make this happen and get this into a Bro release.  I think that we could even do some really neat stuff that other open source decryption tools aren’t doing due to Bro being so dynamic.

Anyone interested? (I’m still not going to post my code publicly, I don’t want to get the questions that I’d inevitably get if I did)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150618/8a49e55f/attachment.bin 

More information about the Bro mailing list