How to monitor video and https traffic using bro network security monitor

Question

I have configured bro on my system successfully. OS is centos 7. I have to monotor multimedia traffic e.g. youtube and some social site like facebook. I started bro for some miniutes while using facebook and youtube but their is no information about youtube in http log file nithir facebook. As for I think that this is a protocol problem as facebook use https rather than http but I do not know why youtube.

I have followed following steps after setting correct interface.

[BroControl] > install

Then

[BroControl] > start

But I have not found any youtube or facebook info in http.log. How to get traffic info of such websites?

Please tell us what you have done to troubleshoot this so far. How is your node.cfg configured? Have you verified that you can see the relevant data using TCPDump. If `https` is in use, are you doing anything to decrypt the data? If not, I'm not sure why you would *expect* to read the content and I'm also not sure why you'd look in the http.log. Check the ssl.log for certificate information. I also think you'll find if you look that Youtube is also over HTTPS by default. — David Hoelzer, May 15 '16 at 06:18

score 2 · Answer 1 · answered May 15 '16 at 06:20

2

The problem is that you are expecting SSL encrypted traffic to be magically decrypted and appear in your http.log. If you look again, you will find that YouTube also runs over HTTPS.

Unless you are doing something to intercept and act as a man-in-the-middle for the SSL/TLS connections, you cannot expect to be able to see the content. If you can't see it, Bro can't see it either. :)

If you want to verify that you are properly configured, you would be best served looking at the conn.log to verify that the connections are occurring. Once you do that, search for the UID values in the other logs and I strongly suspect that you will see that you are finding SSL certificate data.

answered May 15 '16 at 06:20

David Hoelzer

15,862
4
48
67

Sir, I do not want to see the content, I need just meta data (content length) only. Actucally, I have to find how mutch data of facebook is transfered only. – Hafiz Muhammad Shafiq Feb 28 '17 at 12:31
Then use the conn.log to see how many bytes were transferred. – David Hoelzer Feb 28 '17 at 13:13
I have posted a similar question at http://stackoverflow.com/questions/42509155/how-to-capture-metadata-for-https-traffic-using-bro-ids. Please guide if you can – Hafiz Muhammad Shafiq Mar 01 '17 at 04:15

aeppert · Answer 2 · 2016-05-13T03:29:01.400

0

Several things come to mind

1) What are the contents of /usr/local/bro/etc/node.cfg? Make sure it is the interface you expect traffic to cross via a span or tap.

2) Run tcpdump -i <interface> where interface comes from question 1.

3) Run /usr/local/bro/bin/broctl diag to see if there are any issues.

4) Run /usr/local/bro/bin/broctl status to verify everything is running.

If the interface is wrong, the solution may be that easy.

edited May 13 '16 at 03:29

answered May 12 '16 at 16:33

aeppert

1
1

1

This is not an answer. – TomSlick May 12 '16 at 16:54
@TomSlick re-evaluate this. The provided information in the original post was not adequate to really render a necessary answer. I reworded the response to be more of an answer. However, it is a non-trivial problem and unless you understand the underlying software it is hard to describe adequately in a finite space. – aeppert May 14 '16 at 01:07
@TomSlick This is perfectly valid troubleshooting advice to a really broad question. Starting from the premise that the interface is likely misconfigured, this is a relevant answer. That may not be the issue, however. – David Hoelzer May 15 '16 at 06:16

How to monitor video and https traffic using bro network security monitor

2 Answers2

Linked