I'm testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success.
Is it possible to inspect TCP reserved bits with Zeek?
Not out of the box, no. One way to add it would be to expand the
TCP_Flagsclass in your local build so it captures the TCP header'sth_x2field bits as well. Then, use thetcp_packetevent, which reports the flags.This would be quite slow, though, as it'd be packet-level analysis.