[Bro] VNC payload
Jon Siwek
jsiwek at corelight.com
Thu Nov 15 08:03:08 PST 2018
On Thu, Nov 15, 2018 at 9:41 AM Charlie <bucweat at rushpost.com> wrote:
> 1496000046.839399 C9iQbO1Y4veE4M2MDe 192.168.1.19 5900 192.168.1.14 50663 tcp - 184.468970 9195324 68250 OTH - - 0 DadAT 12266 9838046 8647 518684 (empty)
>
> If I run without the BPF filter:
>
> bro -r ../capture.pcap /usr/local/share/bro/base/protocols/conn/contents.bro
>
> I get data files for other conversations with filenames that look like
>
> contents_192.168.1.19:50560-192.168.1.8:62078_orig.dat
>
> which contain content that I expect based on looking at pcap in wireshark, but nothing for the conversation on port 5900.
The conn.log history field of "DadAT" indicates the TCP handshake is
not present for that connection in the pcap, however, contents.bro is
handling a "connection_established" event in order to trigger the
content-dumping, and that is only generated "when seeing a SYN-ACK
packet from the responder in a TCP handshake".
Another caveat from the "set_contents_file" documentation that may be
useful to know and relevant to your use-case: "If any data is missing,
the recording stops at the missing data".
- Jon
More information about the Bro
mailing list