[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: [Bro] get TCP payload of first ACK from client
From: Xu Zhang <zhangxu1115 () gmail ! com>
Date: 2017-06-23 22:47:45
Message-ID: CAAxO33xbgxcra_peSQJ+56ext3CM0reyMDmvng86A24Gi0iVsQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello,
I'm writing a bro script to output TCP payload of first ack from client
(is_orig = True),
I'm currently using tcp_packet event, check the ack flag and payload length
as well as if it is the first ack. I'm wondering if there is a cheaper way
to achieve this, since tcp_packet is pretty expensive.
I cannot use connection_first_ACK event because it does not give me the
actual TCP payload.
I cannot use ssl_client_hello because i want to handle not only ssl.
Does anyone have suggestions? Thanks for the help!
--
Sincerely,
Xu Zhang
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hello,</div><div><br></div><div>I'm writing a bro script to \
output TCP payload of first ack from client (is_orig = True),</div><div>I'm \
currently using tcp_packet event, check the ack flag and payload length as well as if \
it is the first ack. I'm wondering if there is a cheaper way to achieve this, \
since tcp_packet is pretty expensive.</div><div><br></div><div>I cannot use \
connection_first_ACK event because it does not give me the actual TCP \
payload.</div><div>I cannot use ssl_client_hello because i want to handle not only \
ssl.</div><div><br></div><div>Does anyone have suggestions? Thanks for the \
help!</div><br clear="all"><div><br></div>-- <br><div class="gmail_signature" \
data-smartmail="gmail_signature"><div dir="ltr">Sincerely,<div>Xu \
Zhang</div></div></div> </div>
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic