如何使用Bro捕获https流量的元数据 [英] How to capture metadata for https traffic using Bro
问题描述
我使用以下tcpdum命令捕获了一些数据。
I have capture some data using following tcpdum command.
tcpdump -i eth1 -w eth1_data.pcap -X
之后我运行以下命令来分析 eth1_data.pcap 文件使用 Bro 。
After that I have run following command to analyze eth1_data.pcap file using Bro.
bro -r eth1_data.pcap local "Site::local_nets += { 10.0.0.0/8 }"
我使用的是Bro 2.4。 1个版本。我没有更改命令以外的任何配置。执行上述命令后会生成大量文件。现在我必须找到一些社交网站转移的字节,例如HTTS://www.twitter.com。我没有在http.log中找到有关上述网站的正确信息。
I am using Bro 2.4.1 version. I have not changed any configuration other than above in command. There are a lot of files that are generated after above command execution. Now I have to find bytes transfered by some social websites e.g. htts://www.twitter.com. I have not found correct information about above sites in http.log.
我知道https网站的内容已加密,但可以提取元数据(因为app_stats.log也提供了一些信息)。
I know that content for https sites is encrypted but metadata can be extracted (as app_stats.log also gives some info).
我应该从 ssl.log UID 是否正确$ c>然后找到使用相同的uid从conn.log转移的resp_ip_bytes?
Is it correct that I should pick UID from ssl.log and then find resp_ip_bytes transfered from conn.log with same uid ?
或者获取https网站的元数据信息的任何其他方式?
Or any alternate way to get meta data information of https sites ?
推荐答案
听起来你已经走在了正确的道路上。
It sounds like you are on the right path already.
要保持一个小小的音符记住使用 resp_ip_bytes 时,其大小将包括每个数据包的IP和TCP标头。此外,在该数字中没有考虑TCP重组,因此即使没有发送新数据,分组重传也会增加数量。如果您要查找内容正文大小,则应使用 resp_bytes 字段,但请记住,这仍将包含所有SSL / TLS框架及其内容计数被压缩。
One small note to keep in mind with using resp_ip_bytes is that the size on that will include the IP and TCP header from each packet. Also, there is no TCP reassembly being accounted for in that number so packet retransmits will increase the number even though no new data was sent. If you are looking for the content body size, you should use the resp_bytes field but keep in mind that this will still have all of the SSL/TLS framing and the content of that count be compressed.
我想做的另一个小注意事项是我们从2.5删除了 app_stats 脚本这种方法缺乏维护和一般性问题。
Another small note I wanted to make is that we removed the app_stats script from 2.5 due to lack of maintenance and general issues with the approach.
您正在寻找特别的东西吗?
Is there something in particular that you are looking for?
这篇关于如何使用Bro捕获https流量的元数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
