[Bro] get TCP payload of first ACK from client
zhangxu1115 at gmail.com
Fri Jun 23 15:47:45 PDT 2017
I'm writing a bro script to output TCP payload of first ack from client
(is_orig = True),
I'm currently using tcp_packet event, check the ack flag and payload length
as well as if it is the first ack. I'm wondering if there is a cheaper way
to achieve this, since tcp_packet is pretty expensive.
I cannot use connection_first_ACK event because it does not give me the
actual TCP payload.
I cannot use ssl_client_hello because i want to handle not only ssl.
Does anyone have suggestions? Thanks for the help!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro