[Bro] Capturing the SSL cert via HTTP Connect Method
Josh Liburdi
liburdi.joshua at gmail.com
Mon Oct 5 15:25:08 PDT 2015
I don't think this would be too difficult to add-- there's already
code that hands off the HTTP stream to other child analyzers if it's a
CONNECT tunnel (see lines 998 through 1019 in
src/analyzer/protocol/http/HTTP.cc). It's a bit beyond me how to get
this working, I needed help from Seth to get it working with RDP, but
maybe someone with more experience can add this to their todo list.
On Mon, Oct 5, 2015 at 5:59 PM, John B. Althouse III
<sudo.darkstar at gmail.com> wrote:
> Has anyone come up with a way to get Bro to capture the SSL cert details
> when it's over a HTTP Connect tunnel? Attached is a sample PCAP.
>
> Thanks!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list