Bro Tor SSL suppression

Zeek
1

Hey,

I run a few networks that have some combination of Tor users and Tor
servers. The SSL traffic is rather noisy, and on some networks I want to
know which users are using Tor for tunnel-tracking purposes. I took
jsiwek's example of Input Framework code and beat on it until it used a
list of Tor servers to suppress SSL warnings and track Tor clients. Here
it is:

https://github.com/lruppert/bro-tor

A couple questions:

1. Is there a way to get a table loaded via the Input framework on a
cluster master to be visible by the cluster workers? You'd think
&synchronized would be the ticket to awesomeness, but all it did was
shame me.

2. Is there any nice sample code for hooking into the Software framework
and logging software? It would be fun to log Tor clients and servers in
the software log as well, or instead.

3. Is the tunnels log just a log of tunnels bro can bust open and feast
on the entrails of, or would it be appropriate to log opaque tunnels
like Tor or VPNs in there too?

2

1. Is there a way to get a table loaded via the Input framework on a
cluster master to be visible by the cluster workers? You'd think
&synchronized would be the ticket to awesomeness, but all it did was
shame me.

One idea would be to have the manager feed back the table entries to worker nodes via an even and workers assign the entry in their local tablet. The manager could raise those events in an Input::update_finished or Input::end_of_data handler (depends on Bro version which to use).

2. Is there any nice sample code for hooking into the Software framework
and logging software? It would be fun to log Tor clients and servers in
the software log as well, or instead.

Maybe Seth or someone else can point to a particularly helpful example, but `grep -R Software::found scripts/` in the source code is probably what I would reference.

3. Is the tunnels log just a log of tunnels bro can bust open and feast
on the entrails of, or would it be appropriate to log opaque tunnels
like Tor or VPNs in there too?

Seems appropriate to me. Calling Tunnel::register() whenever a new tunnel is found should be enough to log/track it. E.g:

module Tunnel;

redef enum Tunnel::Type += {
    VPN
};

event some_event(c: connection)
  {
  Tunnel::register(EncapsulatingConn($cid=c$id, $tunnel_type=Tunnel::VPN, $uid=c$uid));
  }

- Jon