[Bro] Detecting Encryption
James Lay
jlay at slave-tothe-box.net
Fri Aug 21 10:48:04 PDT 2015
On 2015-08-21 11:36 AM, nhtvl wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi all,
>
> I am relatively new to Bro and was wondering if Bro has any way of
> detecting encryption and/or plain text in the dpd module or anywhere
> els
> e.
>
> I have several use cases.
>
> 1. I wish to determine whether a program that has an auto-update
> feature
> is sending the updates using encryption.
>
> 2. I wish to determine if a chat application is sending data encrypted.
>
> I had a suggestion from my advisor that I should compress the data
> being sent over the wire to see if it is compressible or not and use
> that in determining whether a stream is using encryption or not.
>
> Any suggestions or advice on this problem would be greatly appreciated.
>
> Regards,
> Ben Mixon-Baca
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJV12GeAAoJEO09Oz0uXqnKUX4IAMfFBsaEvcOMSMn/7kg4J5AH
> xOvTlpmzUYXXHWHj/J+5rGf4VkHGej7I4vmIaQ1dxmCxGy/34is5m9y767f4AAuH
> jazvC2ZLNOixYBq/H4sVKX7Vl5zUY8wU7ptKdbo2HxnaX4MHkbJg/bnD2c4mIhPN
> 3EuOIZgzdYGJIQWsIhCaZmuaiaO2JE+Kp6JlleYcbg+J7lUQd/34YU3Sv6snysGM
> ON5hmbPISukkFXUAVCsIuRWYXkiAhdDPR1XHtp4pClu2EHOITcIChM9/6qsmqgr/
> RXWHU5UOthJ/IgjLaNkTQ/YlBmFkTVJ9QnKCKNOQv8Uhc4+e1c4vVF7F8jrefVE=
> =TgbT
> -----END PGP SIGNATURE-----
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Check out ssl.log and x509.log.
James
More information about the Bro
mailing list