[Bro] First orig_h packet after 3 way handshake

Ben Mixon-Baca bmixonb1 at cs.unm.edu
Thu Jul 14 10:39:34 PDT 2016 

Cool, thanks Johanna! I had started to use the tcp_packet event but was
concerned about the amount of state I would need to keep, I hadn't even
thought to add to the connection record, thanks!

Fortunately, all of the analysis I am doing is on pcaps so I don't need
to worry about running my script on live traffic.

On 07/14/2016 10:31 AM, Johanna Amann wrote:
> Actually, thinking a bit more about it - tcp_packet might be the best
> event for this.
> 
> On 14 Jul 2016, at 10:30, Johanna Amann wrote:
> 
>> Oh, interesting.
>>
>> You should be able to use the new_packet/packet_contents events and
>> add some counter to the connection record to let you count at which
>> place in the handshake you are.
>>
>> But - these are very expensive events, so you might get into problems
>> when trying to run this on a link that has any real volume on it.
>>
>> Johanna
>>
>> On 14 Jul 2016, at 10:26, Ben Mixon-Baca wrote:
>>
>>> I'm looking at Tor+obfs4. Normally, everything parsed out using the
>>> events in the SSL module would be perfect but since the handshake is
>>> obfuscated, none of those events fire. I was trying to look at the
>>> packet that _should_ be the client hello in order to see if there is
>>> anything regular about that particular payload.
>>>
>>> On 07/13/2016 05:17 PM, Johanna Amann wrote:
>>>> Out of curiosity - what are you trying to do?
>>>>
>>>> (I am always curious what people try to get from the SSL handshake that
>>>> we do not parse out yet...)
>>>>
>>>> Johanna
>>>>
>>>> On 13 Jul 2016, at 16:04, Ben Mixon-Baca wrote:
>>>>
>>>>> Unfortunately for what I am doing, I cannot.
>>>>>
>>>>> On 07/13/2016 03:58 PM, Azoff, Justin S wrote:
>>>>>>
>>>>>>> On Jul 13, 2016, at 6:36 PM, Ben Mixon-Baca <bmixonb1 at cs.unm.edu>
>>>>>>> wrote:
>>>>>>>
>>>>>>> Does Bro have an event that will get fired for the first packet
>>>>>>> after
>>>>>>> the tcp 3-way handshake, or is there a way to get at that easily or
>>>>>>> does
>>>>>>> it require a lot of state to be maintained in the script?
>>>>>>>
>>>>>>> I am trying to get at this first packet following the 3 way
>>>>>>> handshake
>>>>>>> because that is where the client hello in the ssl handshake
>>>>>>> should be.
>>>>>>
>>>>>> Can you use the ssl_client_hello event?
>>>>>>
>>>>>> event ssl_client_hello(c: connection, version: count, possible_ts:
>>>>>> time, client_random: string, session_id: string, ciphers: index_vec)
>>>>>>
>>>>>
>>>>> -- 
>>>>> Ben
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>> -- 
>>> Ben

-- 
Ben

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160714/fb1d5c29/attachment.bin

More information about the Bro mailing list