I'm testing Zeek/Bro capabilities in terms of detecting different types of steganography. After working with the ICMP protocol now I am trying to inspect the TCP protocol. I want to detect if the reserved bits in TCP are changed with help of TCP events. Unfortunately without success.
Is it possible to inspect TCP reserved bits with Zeek?
Not out of the box, no. One way to add it would be to expand the TCP_Flags class in your local build so it captures the TCP header's th_x2 field bits as well. Then, use the tcp_packet event, which reports the flags.
This would be quite slow, though, as it'd be packet-level analysis.