[Bro] HTTPS Analyzer

[N B]

Hi Johanna (and everyone else on the list),

I am currently struggling with this as to how to put the decrypted data
back into the Bro pipeline? I am able to get the data decrypted (actually
its just a test with a simple xor data into it and xor it back in the
analyzer) in my analyzer and calling ForwardStream() with the new data and
length. I have checked and double checked that everything looks like it
should be i.e. the resulting stream is HTTP data (headers, content etc) but
for some reason the HTTP analyzer does not get invoked. Please help.

Thanks
Nikunj


On Mon, Jun 8, 2015 at 1:30 PM, N B <nb.nospam at gmail.com> wrote:

> Thanks Johanna. Much appreciated for the suggestion of extending the SSL
> analyzer.
>
> > "you basically can just shove the decrypted data back into the Bro
> processing pipeline."
>
> I am assuming that by above you mean to just call the "ForwardStream()"
> method? Please confirm if that's the case.
>
> > "The biggest problem will probably be to get the SSL analyzer changed to
> > decrypt the data. You also will have to get your encryption keys into Bro
> > somehow before the first encrypted data packet is parsed by the SSL
> > analyzer."
>
> Getting the key loaded via the new class's constructor or as a static
> initialized value won't be enough? Maybe I missed something important here.
> Can you please clarify?
>
> Thanks
> Nikunj
>
>
>
> On Fri, Jun 5, 2015 at 3:46 PM, Johanna Amann <johanna at icir.org> wrote:
>
>> Hello,
>>
>> > In a nutshell, we are trying to write an HTTPS analyzer for on the fly
>> > decryption of the SSL stream and then feed it to the built in HTTP
>> > Analyzer. We will use a crypto library + server keys to achieve the
>> > decryption. Is it possible at all do this in Bro?
>>
>> Sure, in theory it is possible to do that. You would have to extend the
>> current SSL analyzer and start decrypting the packets at the right point
>> of time. You should not even have to implement an HTTPS analyzer; you
>> basically can just shove the decrypted data back into the Bro processing
>> pipeline.
>>
>> The best example for this happening might potentially be one of the tunnel
>> analyzers -- SMTP also does it by attaching SSL as a sub-analyzer in case
>> STARTTLS is used.
>>
>> The biggest problem will probably be to get the SSL analyzer changed to
>> decrypt the data. You also will have to get your encryption keys into Bro
>> somehow before the first encrypted data packet is parsed by the SSL
>> analyzer.
>>
>> Johanna
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150610/4e4ed21c/attachment.html