[Bro] HTTPS Decryption
Johanna Amann
johanna at icir.org
Tue Jun 13 10:05:57 PDT 2017
Oh - sorry, I misunderstood the question. In any case - no, as far as I
know, no one has done exactly what I said in the original thread
(stripping encryption while keeping the framing intact). That would need
modifications to Bro; nothing changed since the thread you linked to.
I don't jnow viewssld; if it outputs just a decrypted HTTP stream, Bro
will pick it up by itself. There are a number of people that just use Bro
behind a SSL terminator, which is kind of similar conceptually. If it
outputs some other format, you will have to adjust the Bro protocol
parsers.
Johanna
On Fri, Jun 09, 2017 at 08:15:28PM -0700, Osama Elnaggar wrote:
> Thanks Johanna. But I was actually looking at the use case where you
> terminated PFS at a load balancer (or other device at the perimeter) and
> used upstream SSL (non PFS) to the backend servers.
>
> Would it be possible to forward SSL packets to viewssld -
> https://github.com/plashchynski/viewssld - and then back to Bro?
>
> Thanks.
>
> --
> Osama Elnaggar
>
> On June 10, 2017 at 1:04:05 PM, Johanna Amann (johanna at icir.org) wrote:
>
> On Fri, Jun 09, 2017 at 07:23:53PM -0700, Osama Elnaggar wrote:
> > I noticed the issue of decrypting HTTPS was mentioned several times over
> > the years (with the last time back in 2015 I think -
> > http://mailman.icsi.berkeley.edu/pipermail/bro/2015-June/008568.html) and
> > was wondering if this feature was ever added or if anyone was able to
> > successfully implement it.
>
> No, not to my knowledge. There were several people who wanted to implement
> it over the years - if someone did it, they never open-sourced it.
>
> That being said - due to the prevalence of perfectly forward secure
> ciphers, TLS decryption is not really an option anymore in most use-cases.
>
> Johanna
More information about the Bro
mailing list