[Bro] Protocol Analyzer
bmixonb1 at cs.unm.edu
Wed Sep 21 15:29:05 PDT 2016
I am doing low level packet inspection using the tcp_packet event. I am
wondering if there is a way to inspect only the tcp payload if it
doesn't parse to any well-known tcp based application. For example, if
an application uses 20394/tcp for TLS, I would not want to see this
payload. However, if the application using 20394/tcp has a payload that
doesn't parse to anything Bro speaks, I would like to be able to inspect
this tcp payload.
Thanks in advance!
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160921/c4ded6a3/attachment.bin
More information about the Bro