[Bro] Protocol Analyzer

Ben Mixon-Baca bmixonb1 at cs.unm.edu
Wed Sep 21 15:29:05 PDT 2016


I am doing low level packet inspection using the tcp_packet event. I am
wondering if there is a way to inspect only the tcp payload if it
doesn't parse to any well-known tcp based application. For example, if
an application uses 20394/tcp for TLS, I would not want to see this
payload. However, if the application using 20394/tcp has a payload that
doesn't parse to anything Bro speaks, I would like to be able to inspect
this tcp payload.

Thanks in advance!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160921/c4ded6a3/attachment.bin 

More information about the Bro mailing list