AnsweredAssumed Answered

decrypted ssl traffic parsing

Question asked by Michael Pochan on Jun 2, 2017
Latest reply on Jun 2, 2017 by Michael Pochan

We began ingesting decrypted https traffic into our Netwitness packet decoders (10.6.2). The request and response headers and showing up fine and the service is being tagged as 80. However, none of the headers are being parsed by the http_lua parser which parses normal http traffic just fine. The decrypted header formats are the same, but every meta key that the http_lua parser is tied to has an empty value for these sessions. Has anyone else encountered this? We'd like to avoid having to write our own parsers for each individual header field, but if it comes to that it can be done. Just was curious why traffic over 443 that is being identified as 'service = 80' would cause issues with the http_lua parser, especially since it already parses http traffic for us over other nonstandard ports. We are also not seeing any parsing failure errors. 

Outcomes