Capturing the SSL cert via HTTP Connect Method

Has anyone come up with a way to get Bro to capture the SSL cert details when it’s over a HTTP Connect tunnel? Attached is a sample PCAP.

Thanks!

151005-93OevfuI6-RCPI4P1roPumvw.pcap (6.62 KB)

I don't think this would be too difficult to add-- there's already
code that hands off the HTTP stream to other child analyzers if it's a
CONNECT tunnel (see lines 998 through 1019 in
src/analyzer/protocol/http/HTTP.cc). It's a bit beyond me how to get
this working, I needed help from Seth to get it working with RDP, but
maybe someone with more experience can add this to their todo list.

This actually is usually already supported in Bro. If I am not mistaken,
the reason why this does not work in this case is the proxy-agent header
in the response from the HTTP server.

https://bro-tracker.atlassian.net/browse/BIT-1487 has the details and a
patch that might fix your problem.

I hope this helps,
Johanna

Thanks Johanna! That’s exactly what I was looking for. Any idea when this will make it into the master repo?