[Bro] First orig_h packet after 3 way handshake
Azoff, Justin S
jazoff at illinois.edu
Wed Jul 13 15:58:32 PDT 2016
> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu> wrote:
>
> Does Bro have an event that will get fired for the first packet after
> the tcp 3-way handshake, or is there a way to get at that easily or does
> it require a lot of state to be maintained in the script?
>
> I am trying to get at this first packet following the 3 way handshake
> because that is where the client hello in the ssl handshake should be.
Can you use the ssl_client_hello event?
event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
--
- Justin Azoff
More information about the Bro
mailing list