[Bro] First orig_h packet after 3 way handshake
Johanna Amann
johanna at icir.org
Thu Jul 14 10:30:37 PDT 2016
Oh, interesting.
You should be able to use the new_packet/packet_contents events and add
some counter to the connection record to let you count at which place in
the handshake you are.
But - these are very expensive events, so you might get into problems
when trying to run this on a link that has any real volume on it.
Johanna
On 14 Jul 2016, at 10:26, Ben Mixon-Baca wrote:
> I'm looking at Tor+obfs4. Normally, everything parsed out using the
> events in the SSL module would be perfect but since the handshake is
> obfuscated, none of those events fire. I was trying to look at the
> packet that _should_ be the client hello in order to see if there is
> anything regular about that particular payload.
>
> On 07/13/2016 05:17 PM, Johanna Amann wrote:
>> Out of curiosity - what are you trying to do?
>>
>> (I am always curious what people try to get from the SSL handshake
>> that
>> we do not parse out yet...)
>>
>> Johanna
>>
>> On 13 Jul 2016, at 16:04, Ben Mixon-Baca wrote:
>>
>>> Unfortunately for what I am doing, I cannot.
>>>
>>> On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>>>>
>>>>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu>
>>>>> wrote:
>>>>>
>>>>> Does Bro have an event that will get fired for the first packet
>>>>> after
>>>>> the tcp 3-way handshake, or is there a way to get at that easily
>>>>> or
>>>>> does
>>>>> it require a lot of state to be maintained in the script?
>>>>>
>>>>> I am trying to get at this first packet following the 3 way
>>>>> handshake
>>>>> because that is where the client hello in the ssl handshake should
>>>>> be.
>>>>
>>>> Can you use the ssl_client_hello event?
>>>>
>>>> event ssl_client_hello(c: connection, version: count, possible_ts:
>>>> time, client_random: string, session_id: string, ciphers:
>>>> index_vec)
>>>>
>>>
>>> --
>>> Ben
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Ben
More information about the Bro
mailing list