[Bro] Bro HTTPS analyzer

philosnef philosnef at yahoo.com
Fri Sep 16 07:20:29 PDT 2016


Generally, you do not "process" https traffic with Bro. Either you break it out, or you just look peripherally at the traffic (things like certificate information, conn tracking). If you truly want to do full inspection of https, you need an ssl proxy or breakout solution. Once it is broken out, there is nothing you need to do. Bro reads it exactly the same as any other http traffic. 

    On Friday, September 16, 2016 10:00 AM, "bro-request at bro.org" <bro-request at bro.org> wrote:
 

 Send Bro mailing list submissions to
    bro at bro.org

To subscribe or unsubscribe via the World Wide Web, visit
    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
    bro-request at bro.org

You can reach the person managing the list at
    bro-owner at bro.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Bro digest..."


Today's Topics:

  1. Bro HTTPS analyzer (Mohan Dhawan)
  2. Re: Bro HTTPS analyzer (anthony kasza)
  3. Ip-based (Daniel Manzo)
  4. Re: Ip-based (K2)
  5. Re: Ip-based (Daniel Manzo)


----------------------------------------------------------------------

Message: 1
Date: Fri, 16 Sep 2016 12:13:06 +0530
From: Mohan Dhawan <mohan.dhawan at gmail.com>
Subject: [Bro] Bro HTTPS analyzer
To: bro at bro.org
Message-ID: <ba1177b3-099a-d024-8c39-83f6a705492f at gmail.com>
Content-Type: text/plain; charset="utf-8"

Dear All,

I wish to analyze HTTPS traffic with Bro and want to know what specific
changes might need to be done to the existing HTTP analyzer framework.

Thanks for the help.

Regards,
mohan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/dc077468/attachment-0001.bin 

------------------------------

Message: 2
Date: Fri, 16 Sep 2016 04:58:13 -0400
From: anthony kasza <anthony.kasza at gmail.com>
Subject: Re: [Bro] Bro HTTPS analyzer
To: Mohan Dhawan <mohan.dhawan at gmail.com>
Cc: bro at bro.org
Message-ID:
    <CAEZw2bwb_AgaRFavm0RbPYcX1j+D=rs+WEwaMS4WLiAmYz8Yfw at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

This really depends on your HTTP traffic. Bro handles the majority of HTTP
cleanly directly out of the box. Have you tried feeding Bro some same trace
files to see what shows up in the http.log file?

-AK

On Sep 16, 2016 2:45 AM, "Mohan Dhawan" <mohan.dhawan at gmail.com> wrote:

> Dear All,
>
> I wish to analyze HTTPS traffic with Bro and want to know what specific
> changes might need to be done to the existing HTTP analyzer framework.
>
> Thanks for the help.
>
> Regards,
> mohan
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/11f04157/attachment-0001.html 

------------------------------

Message: 3
Date: Fri, 16 Sep 2016 13:25:58 +0000
From: Daniel Manzo <daniel.manzo at bayer.com>
Subject: [Bro] Ip-based
To: "bro at bro.org" <bro at bro.org>
Message-ID:
    <2C7473428EFB4348960ACC47FDC529451ACC43CE at MOXCXR.na.bayer.cnb>
Content-Type: text/plain; charset="us-ascii"

Hi all,

Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain.

Thanks,

Dan Manzo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/049a3c06/attachment-0001.html 

------------------------------

Message: 4
Date: Fri, 16 Sep 2016 08:45:42 -0500
From: K2 <k2 at korrosivesecurity.com>
Subject: Re: [Bro] Ip-based
To: bro at bro.org
Message-ID:
    <1474033542.2536909.727804513.31A76C11 at webmail.messagingengine.com>
Content-Type: text/plain; charset="us-ascii"

What do you mean by IP-based?  Are you asking if it is designed for
intrusion prevention?  The answer to that would be no.

Bro gives you pretty much all the information you'd ever want to know
about your network traffic, but leaves it to the analyst to decide what
is good and what is bad.

Kory

On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote:
> Hi all,
>
> Just to verify before setting up Bro, this IDS is not IP-based,
> correct? It looks like it is not, but I just want to be certain.
>
> Thanks,
>
> Dan Manzo
> _________________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/ae7e3a57/attachment-0001.html 

------------------------------

Message: 5
Date: Fri, 16 Sep 2016 13:59:46 +0000
From: Daniel Manzo <daniel.manzo at bayer.com>
Subject: Re: [Bro] Ip-based
To: K2 <k2 at korrosivesecurity.com>, "bro at bro.org" <bro at bro.org>
Message-ID:
    <2C7473428EFB4348960ACC47FDC529451ACC4404 at MOXCXR.na.bayer.cnb>
Content-Type: text/plain; charset="us-ascii"

Okay, I meant IP address based. By that I mean - are there any settings or configuration files that require specific IPs to be set in order for Bro to work? I'm trying to explain to my colleague how Bro works, but having a hard time myself. From my understanding it doesn't need any IP addresses, and will monitor whatever traffic is incoming from the server's NICs. Is this correct?

Thanks,
Dan Manzo

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of K2
Sent: Friday, September 16, 2016 9:46 AM
To: bro at bro.org
Subject: Re: [Bro] Ip-based

What do you mean by IP-based?  Are you asking if it is designed for intrusion prevention?  The answer to that would be no.

Bro gives you pretty much all the information you'd ever want to know about your network traffic, but leaves it to the analyst to decide what is good and what is bad.

Kory

On Fri, Sep 16, 2016, at 08:25 AM, Daniel Manzo wrote:

Hi all,



Just to verify before setting up Bro, this IDS is not IP-based, correct? It looks like it is not, but I just want to be certain.



Thanks,



Dan Manzo
_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/d78a97f8/attachment.html 

------------------------------

_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


End of Bro Digest, Vol 125, Issue 18
************************************


   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160916/e5fbf4bc/attachment-0001.html 


More information about the Bro mailing list