[Bro] Capturing the SSL cert via HTTP Connect Method

Johanna Amann johanna at icir.org
Mon Oct 5 15:37:37 PDT 2015


This actually is usually already supported in Bro. If I am not mistaken,
the reason why this does not work in this case is the proxy-agent header
in the response from the HTTP server.

https://bro-tracker.atlassian.net/browse/BIT-1487 has the details and a
patch that might fix your problem.

I hope this helps,
 Johanna

On Mon, Oct 05, 2015 at 05:59:55PM -0400, John B. Althouse III wrote:
> Has anyone come up with a way to get Bro to capture the SSL cert details
> when it's over a HTTP Connect tunnel? Attached is a sample PCAP.
> 
> Thanks!


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list