[Bro] HTTPS Analyzer

[N B]

Thanks Johanna. Much appreciated for the suggestion of extending the SSL
analyzer.

> "you basically can just shove the decrypted data back into the Bro
processing pipeline."

I am assuming that by above you mean to just call the "ForwardStream()"
method? Please confirm if that's the case.

> "The biggest problem will probably be to get the SSL analyzer changed to
> decrypt the data. You also will have to get your encryption keys into Bro
> somehow before the first encrypted data packet is parsed by the SSL
> analyzer."

Getting the key loaded via the new class's constructor or as a static
initialized value won't be enough? Maybe I missed something important here.
Can you please clarify?

Thanks
Nikunj



On Fri, Jun 5, 2015 at 3:46 PM, Johanna Amann <johanna at icir.org> wrote:

> Hello,
>
> > In a nutshell, we are trying to write an HTTPS analyzer for on the fly
> > decryption of the SSL stream and then feed it to the built in HTTP
> > Analyzer. We will use a crypto library + server keys to achieve the
> > decryption. Is it possible at all do this in Bro?
>
> Sure, in theory it is possible to do that. You would have to extend the
> current SSL analyzer and start decrypting the packets at the right point
> of time. You should not even have to implement an HTTPS analyzer; you
> basically can just shove the decrypted data back into the Bro processing
> pipeline.
>
> The best example for this happening might potentially be one of the tunnel
> analyzers -- SMTP also does it by attaching SSL as a sub-analyzer in case
> STARTTLS is used.
>
> The biggest problem will probably be to get the SSL analyzer changed to
> decrypt the data. You also will have to get your encryption keys into Bro
> somehow before the first encrypted data packet is parsed by the SSL
> analyzer.
>
> Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150608/b1aff896/attachment.html