Hello
I am pretty new with BRO so I might have missed something. I have
however looked through the documentation and tried searching the mail
list for an answer before posting.
I'd like to log the payload of the first TCP packet in an established
session, without using the performance costly new_packet event.
I was hoping to an event that could trigger on an TCP state change, but
there don't seem to exist any such event.
I also want to do this for ICMP and UDP but that seems pretty straight
forward by combining the new_connection event and the get
get_current_packet function.
I did look at connection_established event but that one did never
trigger. I understand from the documentation that this event only
triggers if BRO sees packets that are established, but BRO missed the
handshake part.
I also looked at the Conn::log_conn event and the conn_state property,
but it doesn't seem that this one triggers for every packet.
My idea is to make some kind of list containing the connection's uid,
(add uid with the new_connection event for TCP packets only). On every
session iterate this list look for the first established packet for
sessions in the list. Save the contents and then remove the uid from the
list again. This should hopefully keep the list quite short enough to
not be to performance heavy.
The problem is that I don't find an event that seems appropriate to use
for this.
Are there better solutions to this? Any pointers are most welcome!
BR,
Peter