The event ssl_client_hello of the ssl_analyzer module lacks a parameter for the advertised compression methods of the parsed ClientHello. The corresponding record is properly parsed but does not pass the list to the generated event. It is the only field not available to Bro scripts.
Attached patch addresses this by adding a parameter compr_methods: index_vec to the event. Tests have been updated accordingly.
thanks a lot for the patch. We actually have a patchset that changes exactly this and extends a few other SSL events that has been floating around for a while (branch topic/johanna/tls-more-data - github link https://github.com/bro/bro/compare/topic/johanna/tls-more-data).
The reason that that did not get merged so far is the fact that this will actually break a not insignificant number of user scripts that already are out there and using the SSL events which is something that we typically try to avoid.
That being said, you are right, it would be nice to have this data available in Bro - I just never could convince myself that the invasiveness of changing a widely used event is worth it.
This is done in topic/johanna/tls-more-data.
Please merge this after merging and update the commit-number in NEWS when merging.
Besides exposing the compression methods, this also exposes the record layer tls version in the client hello (and in a few other events).