Hi,
I am doing low level packet inspection using the tcp_packet event. I am
wondering if there is a way to inspect only the tcp payload if it
doesn't parse to any well-known tcp based application. For example, if
an application uses 20394/tcp for TLS, I would not want to see this
payload. However, if the application using 20394/tcp has a payload that
doesn't parse to anything Bro speaks, I would like to be able to inspect
this tcp payload.
Thanks in advance!
Hello Ben,
the easiest way to accomplish this is probably to look into the c$service
field - if it is empty, no analyzer has flagged that it can succesfully
parse the protocol yet.
This is, however, not perfect - c$service is populated by the
protocol_confirmation/violation. Thus, it will only be set after a parser
accepts that a connection actually "speaks" a protocol; so you will
probably get the first few pacjets for every connection - see
base/frameworks/dpd/main.bro for more details.
Apart from that, you can also check Analyzer::registered_ports for ports
where Bro always tries to attach a specific analyzer.
I hope this helps,
Johanna
Thanks, Johanna! That gives me a place to start.