PAS-2: HTTPS paths are only extracted if a TLS handshake has been observed

Issue Information

Issue Type: Bug
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Fixed (2015-11-27 13:17:58)
Affects Version: 0.1,
Target version: 0.1,
Components: Processing Logic , HTTP , SSL/TLS ,
Labels: Referrer, SSLPathExtraction,

Created: 2015-11-22 09:10:25
Time Spent Working
Estimated:
 
40 minutes
Remaining:
  
35 minutes
Logged:
  
5 minutes


Description
At the moment, the script uses a list of domains seen in TLS handshakes to search HTTP referrers to identify paths visited on the HTTPS site.

If, however, the capture started after a TLS handshake, information on a given site will be missing despite the fact we have information readily available.

So, it may be better to look at extracting a list of HTTPS sites from the referrer headers that have been captured, and build the known SSL paths based on that information instead.


Toggle State Changes

Activity


2015-11-22 11:44:32
btasker changed timespent from '0 minutes' to '5 minutes'

2015-11-22 11:45:32
Currently undergoing a test run, but the script now extracts HTTPS FQDN's from the Referer's observed and then goes through to identify all traffic originating from that domain

2015-11-22 12:10:35
That seems to have done the job quite nicely, also ran that section quite a lot quicker by the looks of it

2015-11-22 12:10:41
btasker changed status from 'Open' to 'Resolved'

2015-11-22 12:10:41
btasker added 'Done' to resolution

2015-11-22 12:10:46
btasker changed status from 'Resolved' to 'Closed'

2015-11-22 12:11:41

Repo: PCAPAnalyseandReport
Commit: d7f666566324cc3539609643c69d9f4227512b3b
Author: B Tasker <github@<Domain Hidden>>

Date: Sun Nov 22 12:09:49 2015 +0000
Commit Message: SSL path extraction now based on HTTP Referer. See PAS-2



Modified (-)(+)
-------
PCAP_Analysis.sh




Webhook User-Agent 

GitHub-Hookshot/88897e7


View Commit


2015-11-27 13:17:30
Re-opening to assign to a component

2015-11-27 13:17:30
btasker removed 'Done' from resolution

2015-11-27 13:17:30
btasker changed status from 'Closed' to 'Reopened'

2015-11-27 13:17:58
btasker changed status from 'Reopened' to 'Resolved'

2015-11-27 13:17:58
btasker added 'Fixed' to resolution

2015-11-27 13:18:03
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
 Permalink
2015-11-22 11:44:32

Time Spent: 5 minutes
Log Entry: Switching to using referrer field as input