I am quite new to Bro and need some help. I did go through some of the documentation and some source code but still not clear whether its possible to achieve what we are trying to do.
In a nutshell, we are trying to write an HTTPS analyzer for on the fly decryption of the SSL stream and then feed it to the built in HTTP Analyzer. We will use a crypto library + server keys to achieve the decryption. Is it possible at all do this in Bro?
The high level idea is to derive the HTTPS_Analyzer from the current HTTP_Analyzer, feed the stream from TCP_Analyzer into the HTTPS_Analyzer and utilize the HTTP_Analyzer calls for the remainder of the functionality.
In a nutshell, we are trying to write an HTTPS analyzer for on the fly
decryption of the SSL stream and then feed it to the built in HTTP
Analyzer. We will use a crypto library + server keys to achieve the
decryption. Is it possible at all do this in Bro?
Sure, in theory it is possible to do that. You would have to extend the
current SSL analyzer and start decrypting the packets at the right point
of time. You should not even have to implement an HTTPS analyzer; you
basically can just shove the decrypted data back into the Bro processing
pipeline.
The best example for this happening might potentially be one of the tunnel
analyzers -- SMTP also does it by attaching SSL as a sub-analyzer in case
STARTTLS is used.
The biggest problem will probably be to get the SSL analyzer changed to
decrypt the data. You also will have to get your encryption keys into Bro
somehow before the first encrypted data packet is parsed by the SSL
analyzer.
Thanks Johanna. Much appreciated for the suggestion of extending the SSL analyzer.
“you basically can just shove the decrypted data back into the Bro processing pipeline.”
I am assuming that by above you mean to just call the “ForwardStream()” method? Please confirm if that’s the case.
“The biggest problem will probably be to get the SSL analyzer changed to
decrypt the data. You also will have to get your encryption keys into Bro
somehow before the first encrypted data packet is parsed by the SSL
analyzer.”
Getting the key loaded via the new class’s constructor or as a static initialized value won’t be enough? Maybe I missed something important here. Can you please clarify?
I am currently struggling with this as to how to put the decrypted data back into the Bro pipeline? I am able to get the data decrypted (actually its just a test with a simple xor data into it and xor it back in the analyzer) in my analyzer and calling ForwardStream() with the new data and length. I have checked and double checked that everything looks like it should be i.e. the resulting stream is HTTP data (headers, content etc) but for some reason the HTTP analyzer does not get invoked. Please help.