[Bro] bro http/ssl question

Dk Jack dnj0496 at gmail.com
Wed Mar 16 18:21:16 PDT 2016

I have a unique situation where I am receiving traffic traffic from two
interfaces eth0 and eth1.
I've modified the node.cfg file to distribute the traffic to multiple
workers i.e. two workers for eth0
and two workers for eth1. The interface eth0 receives HTTP traffic and the
interface eth1 is
receiving HTTPS traffic. The tricky parties, both interfaces are actually
receiving the same traffic
i.e. same 5-tuple (src.ip/port, dst.ip/port, protocol). The port number for
the plain HTTP traffic is
also rcvd on port 443. The diagram below shows the details:

  ------+------>| decryptor |-----------+ HTTP
        |       +-----------+           | dst.port=443
        |                               V
        |                         +-----------+
        | HTTPS                   |   eth0    |
        | dst.port=443            |           |
        +------------------------>|eth1       |
                                  |           |
                                  |   Bro     |

For a second, if we forget the question of "Why are you doing this crazy
stuff?", would such a
setup cause problems for Bro?

What I've noticed is that (although the traffic volume is relatively the
same on both interfaces) the
connections are not showing up in the http.log. Although, some of them do
show up (less than 1%
of the traffic). The ssl.log shows a record for each connections. I am
suspecting that un-encrypted
http traffic received on port 443 is being parsed as  ssl traffic by Bro.

Is my observation correct? Is there a way to force the Bro to interpret the
plain http data correctly
in this sort of configuration? Thanks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160316/4ce5fae3/attachment.html 

More information about the Bro mailing list