First orig_h packet after 3 way handshake

Does Bro have an event that will get fired for the first packet after
the tcp 3-way handshake, or is there a way to get at that easily or does
it require a lot of state to be maintained in the script?

I am trying to get at this first packet following the 3 way handshake
because that is where the client hello in the ssl handshake should be.

Can you use the ssl_client_hello event?

event ssl_client_hello(c: connection, version: count, possible_ts: time, client_random: string, session_id: string, ciphers: index_vec)

Unfortunately for what I am doing, I cannot.

Out of curiosity - what are you trying to do?

(I am always curious what people try to get from the SSL handshake that we do not parse out yet...)

Johanna

I'm looking at Tor+obfs4. Normally, everything parsed out using the
events in the SSL module would be perfect but since the handshake is
obfuscated, none of those events fire. I was trying to look at the
packet that _should_ be the client hello in order to see if there is
anything regular about that particular payload.

Oh, interesting.

You should be able to use the new_packet/packet_contents events and add some counter to the connection record to let you count at which place in the handshake you are.

But - these are very expensive events, so you might get into problems when trying to run this on a link that has any real volume on it.

Johanna

Actually, thinking a bit more about it - tcp_packet might be the best event for this.

Cool, thanks Johanna! I had started to use the tcp_packet event but was
concerned about the amount of state I would need to keep, I hadn't even
thought to add to the connection record, thanks!

Fortunately, all of the analysis I am doing is on pcaps so I don't need
to worry about running my script on live traffic.