[Bro] Traffic analysis by Bro
abhinay at cs.utexas.edu
Fri Nov 10 10:47:02 PST 2006
So suppose my script wants to analyze only interactive traffic (for example
telnet, ssh), it will be have to explicitly ignore all packets not on ports
22/23 because the capture filter may have been modified by other scripts to
capture other traffic.
From: Robin Sommer [mailto:robin at icir.org]
Sent: Friday, November 10, 2006 11:11 AM
To: Abhinay Kampasi
Cc: bro at bro-ids.org
Subject: Re: [Bro] Traffic analysis by Bro
On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote:
> What traffic does Bro monitor by default (i.e. what pcap capture filter
> does it use)?
It builds the pcap filter dynamically at startup depending on which
scripts you load. Just load the script print-filter to see how it
looks like in your particular setup.
> Does this modify the global filter? I mean do all the policy scripts
> (and not only my script) see the SSH traffic?
Yes. Yes. There's always only one pcap filter in use.
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro