########################################################################################## PAS-2: HTTPS paths are only extracted if a TLS handshake has been observed ########################################################################################## Issue Type: Bug ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Fixed (2015-11-27 13:17:58) Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - Processing Logic - HTTP - SSL/TLS Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Labels: Referrer, SSLPathExtraction, Time Estimate: 35 minutes Time Logged: 5 minutes ----------------------------------------------------------------------------------------- Issue Description ================== At the moment, the script uses a list of domains seen in TLS handshakes to search HTTP referrers to identify paths visited on the HTTPS site. If, however, the capture started after a TLS handshake, information on a given site will be missing despite the fact we have information readily available. So, it may be better to look at extracting a list of HTTPS sites from the referrer headers that have been captured, and build the known SSL paths based on that information instead. ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2015-11-22 11:44:32 ----------------------------------------------------------------------------------------- btasker changed timespent from '0 minutes' to '5 minutes' ----------------------------------------------------------------------------------------- 2015-11-22 11:45:32 btasker ----------------------------------------------------------------------------------------- Currently undergoing a test run, but the script now extracts HTTPS FQDN's from the Referer's observed and then goes through to identify all traffic originating from that domain ----------------------------------------------------------------------------------------- 2015-11-22 12:10:35 btasker ----------------------------------------------------------------------------------------- That seems to have done the job quite nicely, also ran that section quite a lot quicker by the looks of it ----------------------------------------------------------------------------------------- 2015-11-22 12:10:41 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'Resolved' ----------------------------------------------------------------------------------------- 2015-11-22 12:10:41 ----------------------------------------------------------------------------------------- btasker added 'Done' to resolution ----------------------------------------------------------------------------------------- 2015-11-22 12:10:46 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed' ----------------------------------------------------------------------------------------- 2015-11-22 12:11:41 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: PCAPAnalyseandReport Commit: d7f666566324cc3539609643c69d9f4227512b3b Author: B Tasker