Correlate a User in an HTTP_Request

triggers

#1

I am trying to correlate a user in HTTP_Requests. thoughts?


#2

Do they log into the application?


#3

They do, but alot of it is under ssl, so i’m pretty sure that will not come across unless we decrypt. was just looking to try and get data from another source and correlate it somehow so i could get a logged in user and a tally of websites visited…


#4

You won’t be able to get “perfect” without decrypting the SSL traffic.

However, there are other avenues to pursue.

  1. Look at DNS requests and map them back to the client IP. Even if using SSL to encrypt the transaction, the client typically uses DNS to map hostname to IP address. Metric here is

     DNS.qname
    
  2. Look at SSL certificate. Again, map this back to client IP. Metric here is

     SSL.certificate.subject
    
  3. Look at SSL record size exchanged to see how much payload was sent/received over SSL. Metric here is, I think

     SSL.recordSize *
    

This gives you a rather full picture of what a client was doing and where it was going.

Final Thought

There are a couple of bundles over on the Bundle Gallery (extrahop.com/bundles that handle the SSL portion of this quite nicely.

* need to check that metric.


#5

i will test this out. thank you all. ill report back this week on findings.