[Bro] Questions about Bro Capabilities
rporada at ll.mit.edu
Wed Oct 3 07:04:33 PDT 2007
On Sep 26, 2007, at 9:43 PM, Robin Sommer wrote:
> On Wed, Sep 26, 2007 at 15:16 -0400, you wrote:
>> 1) Is it possible to denote particular packets in a capture? I know
> No, not really. The main problem here is that the link between most
> event handlers and the actual packets is pretty weak. In general,
> Bro does not give guarantees about when a particular event is raised
> and also doesn't keep track which packet triggered it. There's a
> function called get_current_packet() which returns the packet Bro
> currently munching on but when script code is running it's hard to
> predict which packet that actually is.
> The only event which directly refers to packets is new_packet() but
> using that is expensive because it is raised for *all* packets.
> That said, perhaps we might be able to come up with some idea if you
> sketch in a bit more detail what you're trying to achieve.
I am working on a Traffic Generator (TG) project. Our TG has static
content for webpages and fileshares. In addition, we know when our
TG hosts attempt to access that data. Given those to things, I want
to be able to take a network capture, run it through a system and
separate out traffic that we know our TG generated, by correlating
intent and traffic content, and other traffic on the network. The
end goal being smaller and more relevant network captures for an
analyst. In order to do this I want to try and leverage others
protocol analyzers and parsers. Bro seems to be a good choice as I
believe through a policy and some pregenerated variables (based on
the content and host intent) I can validate given traffic to be from
our TG system, and leave the rest for others to analyze. I believe
that in order to do this I need to get out of Bro the relevant
packets, either packet number or timestamp. Given that information,
I would be able to run it through a script that would split the pcap
based on the output. The added benefit of Bro is that it does some
additional analysis that could be useful for capture analysis.
Is that a better sketch? Any thoughts?
Thanks in advance,
More information about the Bro