########################################################################################## PAS-27: Allow Configuration of SSL Ports ########################################################################################## Issue Type: New Feature ----------------------------------------------------------------------------------------- Issue Information ==================== Priority: Major Status: Closed Resolution: Done (2016-02-03 14:08:01) Project: PCAP Analysis Script (PAS) Reported By: btasker Assigned To: btasker Components: - SSL/TLS Affected Versions: - 0.1 Targeted for fix in version: - 0.1 Time Estimate: 60 minutes Time Logged: 0 minutes ----------------------------------------------------------------------------------------- Issue Description ================== TShark does a good job of picking out SSL/TLS connections, but sometimes misses things where non-standard ports have been used. For example, looking at a PCAP where a tor client has been started, there's a guard using port 9035 as it's ORPort so we get no information from that at all. If running tshark manually, we'd pass in -- BEGIN SNIPPET -- -d tcp.port==9035,ssl -- END SNIPPET -- To force use of the SSL dissector for that port, so it'd be good to have some means in the configuration to specify particular ports (as well as the defaults) that we want treated as SSL/TLS. It'd allow a user to iterate over a PCAP, looking at the dest ip/ports list to identify unexpected port numbers and then re-run treating those as SSL. ----------------------------------------------------------------------------------------- Activity ========== ----------------------------------------------------------------------------------------- 2016-02-03 13:44:51 btasker ----------------------------------------------------------------------------------------- I've not got as far as testing it yet, but now have an implementation to allow specific ports to be specified within the configuration. -- BEGIN SNIPPET -- SSLPorts="1193 1473" -- END SNIPPET -- Where port numbers are space seperated. The script will force the SSL dissector to be used for TCP connections to those ports (as well as the standard ports, like 443) The default value hardcoded within the script is currently -- BEGIN SNIPPET -- 9035 12194 9001 -- END SNIPPET -- Where the first two of the above are common variations I've seen for various services. 9001 is the old default ORPort for Tor (though I think the dissector actually catches this by default anyway). Will commit once I've had chance to test it ----------------------------------------------------------------------------------------- 2016-02-03 14:07:51 btasker ----------------------------------------------------------------------------------------- Test and working, marking as complete ----------------------------------------------------------------------------------------- 2016-02-03 14:08:01 ----------------------------------------------------------------------------------------- btasker changed status from 'Open' to 'Resolved' ----------------------------------------------------------------------------------------- 2016-02-03 14:08:01 ----------------------------------------------------------------------------------------- btasker added 'Done' to resolution ----------------------------------------------------------------------------------------- 2016-02-03 14:08:07 ----------------------------------------------------------------------------------------- btasker changed status from 'Resolved' to 'Closed' ----------------------------------------------------------------------------------------- 2016-02-03 14:09:32 git ----------------------------------------------------------------------------------------- -- BEGIN QUOTE -- Repo: PCAPAnalyseandReport Commit: fc542f44ff01baf576649436e0aea4ddb9edbf1e Author: Ben Tasker