I noticed the issue of decrypting HTTPS was mentioned several times over the years (with the last time back in 2015 I think - http://mailman.icsi.berkeley.edu/pipermail/bro/2015-June/008568.html) and was wondering if this feature was ever added or if anyone was able to successfully implement it.
Thanks a lot.
No, not to my knowledge. There were several people who wanted to implement
it over the years - if someone did it, they never open-sourced it.
That being said - due to the prevalence of perfectly forward secure
ciphers, TLS decryption is not really an option anymore in most use-cases.
Thanks Johanna. But I was actually looking at the use case where you terminated PFS at a load balancer (or other device at the perimeter) and used upstream SSL (non PFS) to the backend servers.
Would it be possible to forward SSL packets to viewssld - https://github.com/plashchynski/viewssld - and then back to Bro?
Oh - sorry, I misunderstood the question. In any case - no, as far as I
know, no one has done exactly what I said in the original thread
(stripping encryption while keeping the framing intact). That would need
modifications to Bro; nothing changed since the thread you linked to.
I don't jnow viewssld; if it outputs just a decrypted HTTP stream, Bro
will pick it up by itself. There are a number of people that just use Bro
behind a SSL terminator, which is kind of similar conceptually. If it
outputs some other format, you will have to adjust the Bro protocol