[Bro] First orig_h packet after 3 way handshake
Ben Mixon-Baca
bmixonb1 at cs.unm.edu
Thu Jul 14 10:26:33 PDT 2016
I'm looking at Tor+obfs4. Normally, everything parsed out using the
events in the SSL module would be perfect but since the handshake is
obfuscated, none of those events fire. I was trying to look at the
packet that _should_ be the client hello in order to see if there is
anything regular about that particular payload.
On 07/13/2016 05:17 PM, Johanna Amann wrote:
> Out of curiosity - what are you trying to do?
>
> (I am always curious what people try to get from the SSL handshake that
> we do not parse out yet...)
>
> Johanna
>
> On 13 Jul 2016, at 16:04, Ben Mixon-Baca wrote:
>
>> Unfortunately for what I am doing, I cannot.
>>
>> On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>>>
>>>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu>
>>>> wrote:
>>>>
>>>> Does Bro have an event that will get fired for the first packet after
>>>> the tcp 3-way handshake, or is there a way to get at that easily or
>>>> does
>>>> it require a lot of state to be maintained in the script?
>>>>
>>>> I am trying to get at this first packet following the 3 way handshake
>>>> because that is where the client hello in the ssl handshake should be.
>>>
>>> Can you use the ssl_client_hello event?
>>>
>>> event ssl_client_hello(c: connection, version: count, possible_ts:
>>> time, client_random: string, session_id: string, ciphers: index_vec)
>>>
>>
>> --
>> Ben
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/54a8507e/attachment.bin
More information about the Bro
mailing list