[Bro] First orig_h packet after 3 way handshake
Ben Mixon-Baca
bmixonb1 at cs.unm.edu
Wed Jul 13 16:04:05 PDT 2016
Unfortunately for what I am doing, I cannot.
On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>
>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu> wrote:
>>
>> Does Bro have an event that will get fired for the first packet after
>> the tcp 3-way handshake, or is there a way to get at that easily or does
>> it require a lot of state to be maintained in the script?
>>
>> I am trying to get at this first packet following the 3 way handshake
>> because that is where the client hello in the ssl handshake should be.
>
> Can you use the ssl_client_hello event?
>
> event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)
>
--
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160713/18508c16/attachment.bin
More information about the Bro
mailing list