[Bro] tcp contents

john mcnicholas jomcn at mail.com
Mon Nov 29 11:12:02 PST 2004

In short, this is what I'm trying to do:  I want to selectively save  
the payload/contents of a TCP stream to a file just based on the  
protocol/port number.  Note: I can currently do this using 2 different  
approaches but I'm looking for the "right" way.

a - (this approach works but I modified the source code) The small  
TCP_TransactionConnection class below in conjunction with a simple  
policy script does appear to successfully save the TCP contents for  
POP3, SMTP and HTTP.  (Yes trivial code changes were made to substitute  
the TCP_TransactionConnection for SMTP_Conn and HTTP_Conn in  
Sessions.cc )  The simple policy script filters on the desired ports  
and assigns a contents file each time a tcp connection is created.

b. - (this approach also works but it is not as efficient as above) I  
was able to save the HTTP and SMTP data by just creating empty event  
handlers for ("event smtp_data" and "event http_reply") in conjunction  
with the identical policy script used above.  This is less efficient  
than the first approach because of all the processing done by the  
HTTP_Conn and SMTP_Conn classes which would not be utilized by this  

c. (this approach may have potential but it doesn't look like it can  
work in the current code) There is a TCP_ConnectionContents class that  
gets instantiated  if a "new_connection_contents" policy handler exists  
(in Sessions.cc) but it doesn't look it can limit itself to a certain  
number of protocols/ports.  In addition, it doesn't look like the code  
there was fully implemented in the BuildEndPoints method for the  
TCP_ConnectionContents class (the TCP_CONTENTS_BOTH case is missing).

Bottom line.  Since I'm not that familiar with the source code how does  
this feature/goal fit into the overall design of bro and is there  
already a way to accomplish it?  Determining if this feature is of  
value is probably the first question.

Thanks again for your help and your time.  If anything is unclear  
please let me know.



//---- here is the TCP_TransaactionConnection code that I've been using  
for testing.

class TCP_TransactionConnection : public TCP_Connection
     TCP_TransactionConnection(NetSessions* s, HashKey* k, double t,  
const ConnID* id,
                     const struct tcphdr* tp);

     void BuildEndpoints();


TCP_TransactionConnection::TCP_TransactionConnection(NetSessions* s,  
HashKey* k, double t, const ConnID* id,
                                  const struct tcphdr* tp)
: TCP_Connection(s, k, t, id, tp)

void TCP_TransactionConnection::BuildEndpoints()
     // ! NUL_sensitive, skip_partial
     orig->AddContentsProcessor(new TCP_ContentLine(orig, 1, 0, 1));
     resp->AddContentsProcessor(new TCP_ContentLine(resp, 0, 0, 1));

     // sender = orig;

More information about the Bro mailing list