[Bro] Traffic analysis by Bro

Abhinay Kampasi abhinay at cs.utexas.edu
Sat Nov 11 10:15:36 PST 2006

Thanks Robin,

Right now my script has the tcp_packet(...) event handler. I am assuming
that this event handler will be invoked for all TCP packets. Is that right?


-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org]
Sent: Saturday, November 11, 2006 12:09 PM
To: Abhinay Kampasi
Cc: bro at bro-ids.org
Subject: Re: [Bro] Traffic analysis by Bro

On Fri, Nov 10, 2006 at 12:47 -0600, Abhinay Kampasi wrote:

> So suppose my script wants to analyze only interactive traffic (for
> telnet, ssh), it will be have to explicitly ignore all packets not on
> 22/23 because the capture filter may have been modified by other scripts
> capture other traffic.

Hmm... Yes and no. Yes because in terms of filtering Bro does not
keep track not which traffic is requested which script. But no
because you script will contain event handlers to implement your
detection logic. Many (though not all) events are thrown by
application-specific analyzers which only analyze "their" traffic.
E.g., the HTTP analyzer looks only at HTTP connections and thus
you're only going to see HTTP events for traffic on port 80 (or
whichever port it happens to use).

So, the bottom-line is that it depends on which events you're going
to analyze. Depending on that, you may or may not need to filter out
events which are irrlevant for you.


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list