[Bro] First orig_h packet after 3 way handshake

Johanna Amann johanna at icir.org
Thu Jul 14 10:31:39 PDT 2016 

Actually, thinking a bit more about it - tcp_packet might be the best 
event for this.

On 14 Jul 2016, at 10:30, Johanna Amann wrote:

> Oh, interesting.
>
> You should be able to use the new_packet/packet_contents events and 
> add some counter to the connection record to let you count at which 
> place in the handshake you are.
>
> But - these are very expensive events, so you might get into problems 
> when trying to run this on a link that has any real volume on it.
>
> Johanna
>
> On 14 Jul 2016, at 10:26, Ben Mixon-Baca wrote:
>
>> I'm looking at Tor+obfs4. Normally, everything parsed out using the
>> events in the SSL module would be perfect but since the handshake is
>> obfuscated, none of those events fire. I was trying to look at the
>> packet that _should_ be the client hello in order to see if there is
>> anything regular about that particular payload.
>>
>> On 07/13/2016 05:17 PM, Johanna Amann wrote:
>>> Out of curiosity - what are you trying to do?
>>>
>>> (I am always curious what people try to get from the SSL handshake 
>>> that
>>> we do not parse out yet...)
>>>
>>> Johanna
>>>
>>> On 13 Jul 2016, at 16:04, Ben Mixon-Baca wrote:
>>>
>>>> Unfortunately for what I am doing, I cannot.
>>>>
>>>> On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>>>>>
>>>>>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu>
>>>>>> wrote:
>>>>>>
>>>>>> Does Bro have an event that will get fired for the first packet 
>>>>>> after
>>>>>> the tcp 3-way handshake, or is there a way to get at that easily 
>>>>>> or
>>>>>> does
>>>>>> it require a lot of state to be maintained in the script?
>>>>>>
>>>>>> I am trying to get at this first packet following the 3 way 
>>>>>> handshake
>>>>>> because that is where the client hello in the ssl handshake 
>>>>>> should be.
>>>>>
>>>>> Can you use the ssl_client_hello event?
>>>>>
>>>>> event ssl_client_hello(c: connection, version: count, possible_ts:
>>>>> time, client_random: string, session_id: string, ciphers: 
>>>>> index_vec)
>>>>>
>>>>
>>>> -- 
>>>> Ben
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> -- 
>> Ben

More information about the Bro mailing list