Forum Discussion
rshetty_242152
Nimbostratus
@Kevin Stewart I tried to use the rule which you mentioned. I was unable to get the content type as 22 in the payload. Not sure why. I extracted all the bytes from the payload nothing made sense to me. Here is what it logs: Type == 72 84 84 80 47 49 46 49 32 50 48 ..... 125 125
Here is the part of the rule modified:
when SERVER_DATA {
binary scan [TCP::payload] c* type log local0. "Type == $type "
Kevin_Stewart
Apr 17, 2018Employee
Well,
-
c* would give you all of the bytes, and you only need the first one
-
72 probably indicate that you're not looking at part of the TLS handshake. In fact, if you decode that hex string, it starts with „„€"GIFI2PH", which looks like (I'm assuming) a plaintext image response.