[Bro] First orig_h packet after 3 way handshake

Johanna Amann johanna at icir.org
Wed Jul 13 17:17:08 PDT 2016


Out of curiosity - what are you trying to do?

(I am always curious what people try to get from the SSL handshake that 
we do not parse out yet...)

Johanna

On 13 Jul 2016, at 16:04, Ben Mixon-Baca wrote:

> Unfortunately for what I am doing, I cannot.
>
> On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>>
>>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu> 
>>> wrote:
>>>
>>> Does Bro have an event that will get fired for the first packet 
>>> after
>>> the tcp 3-way handshake, or is there a way to get at that easily or 
>>> does
>>> it require a lot of state to be maintained in the script?
>>>
>>> I am trying to get at this first packet following the 3 way 
>>> handshake
>>> because that is where the client hello in the ssl handshake should 
>>> be.
>>
>> Can you use the ssl_client_hello event?
>>
>> event ssl_client_hello(c: connection, version: count, possible_ts: 
>> time, client_random: string, session_id: string, ciphers: index_vec)
>>
>
> -- 
> Ben
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list