First orig_h packet after 3 way handshake

Does Bro have an event that will get fired for the first packet after
the tcp 3-way handshake, or is there a way to get at that easily or does
it require a lot of state to be maintained in the script?

I am trying to get at this first packet following the 3 way handshake
because that is where the client hello in the ssl handshake should be.

Can you use the ssl_client_hello event?

event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)

Unfortunately for what I am doing, I cannot.

Out of curiosity - what are you trying to do?

(I am always curious what people try to get from the SSL handshake that we do not parse out yet...)


I'm looking at Tor+obfs4. Normally, everything parsed out using the
events in the SSL module would be perfect but since the handshake is
obfuscated, none of those events fire. I was trying to look at the
packet that _should_ be the client hello in order to see if there is
anything regular about that particular payload.

Oh, interesting.

You should be able to use the new_packet/packet_contents events and add some counter to the connection record to let you count at which place in the handshake you are.

But - these are very expensive events, so you might get into problems when trying to run this on a link that has any real volume on it.


Actually, thinking a bit more about it - tcp_packet might be the best event for this.

Cool, thanks Johanna! I had started to use the tcp_packet event but was
concerned about the amount of state I would need to keep, I hadn't even
thought to add to the connection record, thanks!

Fortunately, all of the analysis I am doing is on pcaps so I don't need
to worry about running my script on live traffic.