[Bro] HTTPS Decryption

Johanna Amann johanna at icir.org
Tue Jun 13 10:05:57 PDT 2017

Oh - sorry, I misunderstood the question. In any case - no, as far as I
know, no one has done exactly what I said in the original thread
(stripping encryption while keeping the framing intact). That would need
modifications to Bro; nothing changed since the thread you linked to.

I don't jnow viewssld; if it outputs just a decrypted HTTP stream, Bro
will pick it up by itself. There are a number of people that just use Bro
behind a SSL terminator, which is kind of similar conceptually. If it
outputs some other format, you will have to adjust the Bro protocol


On Fri, Jun 09, 2017 at 08:15:28PM -0700, Osama Elnaggar wrote:
> Thanks Johanna.  But I was actually looking at the use case where you
> terminated PFS at a load balancer (or other device at the perimeter) and
> used upstream SSL (non PFS) to the backend servers.
> Would it be possible to forward SSL packets to viewssld -
> https://github.com/plashchynski/viewssld - and then back to Bro?
> Thanks.
> -- 
> Osama Elnaggar
> On June 10, 2017 at 1:04:05 PM, Johanna Amann (johanna at icir.org) wrote:
> On Fri, Jun 09, 2017 at 07:23:53PM -0700, Osama Elnaggar wrote:
> > I noticed the issue of decrypting HTTPS was mentioned several times over
> > the years (with the last time back in 2015 I think -
> > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-June/008568.html) and
> > was wondering if this feature was ever added or if anyone was able to
> > successfully implement it.
> No, not to my knowledge. There were several people who wanted to implement
> it over the years - if someone did it, they never open-sourced it.
> That being said - due to the prevalence of perfectly forward secure
> ciphers, TLS decryption is not really an option anymore in most use-cases.
> Johanna

More information about the Bro mailing list