PAS-27: Allow Configuration of SSL Ports



Issue Information

Issue Type: New Feature
 
Priority: Major
Status: Closed

Reported By:
Ben Tasker
Assigned To:
Ben Tasker
Project: PCAP Analysis Script (PAS)
Resolution: Done (2016-02-03 14:08:01)
Affects Version: 0.1,
Target version: 0.1,
Components: SSL/TLS ,

Created: 2016-02-03 12:54:18
Time Spent Working
Estimated:
 
60 minutes
Remaining:
 
60 minutes
Logged:
 
0 minutes


Description
TShark does a good job of picking out SSL/TLS connections, but sometimes misses things where non-standard ports have been used.

For example, looking at a PCAP where a tor client has been started, there's a guard using port 9035 as it's ORPort so we get no information from that at all.

If running tshark manually, we'd pass in
-d tcp.port==9035,ssl

To force use of the SSL dissector for that port, so it'd be good to have some means in the configuration to specify particular ports (as well as the defaults) that we want treated as SSL/TLS.

It'd allow a user to iterate over a PCAP, looking at the dest ip/ports list to identify unexpected port numbers and then re-run treating those as SSL.


Toggle State Changes

Activity


I've not got as far as testing it yet, but now have an implementation to allow specific ports to be specified within the configuration.
SSLPorts="1193 1473"

Where port numbers are space seperated.

The script will force the SSL dissector to be used for TCP connections to those ports (as well as the standard ports, like 443)

The default value hardcoded within the script is currently
9035 12194 9001

Where the first two of the above are common variations I've seen for various services. 9001 is the old default ORPort for Tor (though I think the dissector actually catches this by default anyway).

Will commit once I've had chance to test it
Test and working, marking as complete
btasker changed status from 'Open' to 'Resolved'
btasker added 'Done' to resolution
btasker changed status from 'Resolved' to 'Closed'

Repo: PCAPAnalyseandReport
Commit: fc542f44ff01baf576649436e0aea4ddb9edbf1e
Author: Ben Tasker <github@<Domain Hidden>>

Date: Wed Feb 03 14:07:39 2016 +0000
Commit Message: Added ability to force SSL dissector for tcp ports. See PAS-27



Modified (-)(+)
-------
Docs/OverridingConfiguration.md
PCAP_Analysis.sh




Webhook User-Agent

GitHub-Hookshot/21f57ba


View Commit