neslog
commented
4 years ago Agreed with the version field.
I looked at clientBuild, agreed it may be worth it. Let me know what you decide from your testing.
Closed 0x4D31 closed 4 years ago
neslog
commented
4 years ago Agreed with the version field.
I looked at clientBuild, agreed it may be worth it. Let me know what you decide from your testing.
It would be good to add a rdfp_version field for tracking the future changes in rdfp composition (just like the hasshVersion in hassh bro script: https://github.com/salesforce/hassh/blob/master/bro/hassh.bro#L24). e.g. I was thinking about adding clientBuild from the Client Core Data to rdfp v1.0 (need to double check the results based on my new pcap dataset).