How to monitor video and https traffic using bro n

2019-06-11 12:21发布

站内问答 / 前端开发
914 2 5

I have configured bro on my system successfully. OS is centos 7. I have to monotor multimedia traffic e.g. youtube and some social site like facebook. I started bro for some miniutes while using facebook and youtube but their is no information about youtube in http log file nithir facebook. As for I think that this is a protocol problem as facebook use https rather than http but I do not know why youtube.

I have followed following steps after setting correct interface.

[BroControl] > install

Then

[BroControl] > start

But I have not found any youtube or facebook info in http.log. How to get traffic info of such websites?

2条回答
Luminary・发光体
2楼-- · 2019-06-11 12:24

The problem is that you are expecting SSL encrypted traffic to be magically decrypted and appear in your http.log. If you look again, you will find that YouTube also runs over HTTPS.

Unless you are doing something to intercept and act as a man-in-the-middle for the SSL/TLS connections, you cannot expect to be able to see the content. If you can't see it, Bro can't see it either. :)

If you want to verify that you are properly configured, you would be best served looking at the conn.log to verify that the connections are occurring. Once you do that, search for the UID values in the other logs and I strongly suspect that you will see that you are finding SSL certificate data.

查看更多
0人赞 添加讨论(0) 举报
【Aperson】
3楼-- · 2019-06-11 12:26

Several things come to mind

1) What are the contents of /usr/local/bro/etc/node.cfg? Make sure it is the interface you expect traffic to cross via a span or tap.

2) Run tcpdump -i <interface> where interface comes from question 1.

3) Run /usr/local/bro/bin/broctl diag to see if there are any issues.

4) Run /usr/local/bro/bin/broctl status to verify everything is running.

If the interface is wrong, the solution may be that easy.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)