PAS-2: HTTPS paths are only extracted if a TLS handshake has been observed

Issue Information

Issue Type: Bug
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Fixed (2015-11-27 13:17:58)
Affects Version: 0.1,
Target version: 0.1,
Components: Processing Logic , HTTP , SSL/TLS ,
Labels: Referrer, SSLPathExtraction,

Created: 2015-11-22 09:10:25
Time Spent Working
40 minutes
35 minutes
5 minutes

At the moment, the script uses a list of domains seen in TLS handshakes to search HTTP referrers to identify paths visited on the HTTPS site.

If, however, the capture started after a TLS handshake, information on a given site will be missing despite the fact we have information readily available.

So, it may be better to look at extracting a list of HTTPS sites from the referrer headers that have been captured, and build the known SSL paths based on that information instead.

Toggle State Changes


btasker changed timespent from '0 minutes' to '5 minutes'
Currently undergoing a test run, but the script now extracts HTTPS FQDN's from the Referer's observed and then goes through to identify all traffic originating from that domain
That seems to have done the job quite nicely, also ran that section quite a lot quicker by the looks of it
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'

Repo: PCAPAnalyseandReport
Commit: d7f666566324cc3539609643c69d9f4227512b3b
Author: B Tasker <github@<Domain Hidden>>

Date: Sun Nov 22 12:09:49 2015 +0000
Commit Message: SSL path extraction now based on HTTP Referer. See PAS-2

Modified (-)(+)

Webhook User-Agent


View Commit

Re-opening to assign to a component
btasker removed 'Done' from resolution
btasker changed status from 'Closed' to 'Reopened'
btasker changed status from 'Reopened' to 'Resolved'
btasker added 'Fixed' to resolution
btasker changed status from 'Resolved' to 'Closed'

Work log

Ben Tasker
2015-11-22 11:44:32

Time Spent: 5 minutes
Log Entry: Switching to using referrer field as input