Subclassing from SSL Analyzer


I am trying to subclass from SSL Analyzer such that the derived class can decrypt the encrypted SSL data (it will have the server’s private key). I have to #include <SSL.h> in my new plugin’s header file to allow the derived class declaration to work but doing that is causing the following compiler error:

Scanning dependencies of target plugin-Bro-SSLDecrypt

[ 66%] Building CXX object src/analyzer/protocol/ssldecrypt/CMakeFiles/plugin-Bro-SSLDecrypt.dir/
In file included from /Users/nikunj/git/bro/src/analyzer/protocol/ssldecrypt/
In file included from /Users/nikunj/git/bro/src/analyzer/protocol/ssldecrypt/SSLDecrypt.h:12:
/Users/nikunj/git/bro/src/analyzer/protocol/ssl/SSL.h:4:10: fatal error: ‘events.bif.h’ file not found
#include “events.bif.h”
1 error generated.
make[3]: *** [src/analyzer/protocol/ssldecrypt/CMakeFiles/plugin-Bro-SSLDecrypt.dir/] Error 1
make[2]: *** [src/analyzer/protocol/ssldecrypt/CMakeFiles/plugin-Bro-SSLDecrypt.dir/all] Error 2
make[1]: *** [all] Error 2
make: *** [all] Error 2

How can I work around this issue?

An option I was thinking of was to directly change the SSL analyzer’s code and not subclass at all. But that would mean I will have to keep patching it forward as we get newer Bro releases.


I don’t believe you want to subclass the analyzer. The right way is to poke the right decryption into the right place in the analyzer. It’s remarkably easy if you understand Binpac well. We wouldn’t intrinsically have any issues with merging SSL decryption into Bro either if it’s done well, there is no reason for you to maintain a patch set moving forward. If it was brought into Bro we would need tests too so that even for us to maintain it, it shouldn’t be overly onerous.

I guess I’ll go ahead and admit it now... I have some changes to the SSL analyzer that I haven’t pushed out anywhere that poke into the right places in the analyzer to decrypt traffic. What I’ve gotten stuck on (due to lack of time and inexperience) is doing the actual decryption. If there is someone out there that has done this before I’d be interested in talking and possibly working together on it. We can certainly make this happen and get this into a Bro release. I think that we could even do some really neat stuff that other open source decryption tools aren’t doing due to Bro being so dynamic.

Anyone interested? (I’m still not going to post my code publicly, I don’t want to get the questions that I’d inevitably get if I did)


Even if you've got the key, isn't the analyser going to be stymied in the
presence of Diffie-Hellman in the cipher suite? SSL decryption (with the
server's key) works well enough when the client is using the server's public
key to encrypt the pre-master secret, but the private key is of no use when DH
is in play.


Yep, SSL/TLS decryption is far from a panacea. It is a neat example in the analyzer though and I think we can do it more cleanly than I’ve seen most other projects do it (and make it easier to use!).


We are trying to use openssl to get it going though. Do you see any technical issues with that?

Nope, since OpenSSL is already a required dependency that’s how we’d require it to be implemented anyway. :slight_smile:

We could also make it pluggable/decoupled from openssl enough that it could be turned on only when required with the openssl's crypto and ssl DLLs being provided by the specific installation.

No need since we require OpenSSL anyway.