question regarding session creation

Robin Sommer robin at icir.org
Fri Sep 26 16:01:15 PDT 2003


On Fri, Sep 26, 2003 at 10:50 -0700, Scott Campbell wrote:

> I would like to be able to create a new connection object to analyze the
> authentication handshake from within the gsiftp analyzer, but have so

If I understand your description correctly, you would like to decode
an independent SSL session inside the gsiftp connection object,
right? So, basically you need the protocol decoding functionality
for SSL, but without the surrounding connection state management.

I am not really familiar with the internals of the upcoming SSL
analyzer, but as far as I know it implements exactly this separation
(because it cannot decide whether it sees an SSL v2 or v3 connection
before having parsed some data). Take a look at the classes
SSL_Interpreter and SSL_InterpreterEndpoint (I think you already
have the code, right? If not, contact me again or, even better, ask
Michael and Benedikt about this (cc'ed; are you guys on the Bro
list?))

More generally, the separation of connections and protocol analyzers
could make sense for other applications, too. For example, there are
cases in which we cannot deduce the service from the ports that are
used. Or, we may want to switch the analyzer after some data has
already been read (again, SSL is a nice example: After having
analyzed the handshake of an HTTPS session, we could pass the data
on to the HTTP analyzer) But this would be a major change in Bro's
structure...

Robin

-- 
Robin Sommer * Room        01.08.055 * www.net.in.tum.de
TU Munich    * Phone (089) 289-18006 *  sommer at in.tum.de 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20030927/b2d9b282/attachment.bin 


More information about the Bro mailing list