[Bro] Questions about Bro Capabilities

Reed Porada rporada at ll.mit.edu
Wed Oct 3 08:14:45 PDT 2007

On Oct 3, 2007, at 10:36 AM, Nicholas Weaver wrote:

> On Wed, Oct 03, 2007 at 10:04:33AM -0400, Reed Porada composed:
>> I am working on a Traffic Generator (TG) project.  Our TG has static
>> content for webpages and fileshares.  In addition, we know when our
>> TG hosts attempt to access that data.  Given those to things, I want
>> to be able to take a network capture, run it through a system and
>> separate out traffic that we know our TG generated, by correlating
>> intent and traffic content, and other traffic on the network.  The
>> end goal being smaller and more relevant network captures for an
>> analyst.  In order to do this I want to try and leverage others
>> protocol analyzers and parsers.  Bro seems to be a good choice as I
>> believe through a policy and some pregenerated variables (based on
>> the content and host intent) I can validate given traffic to be from
>> our TG system, and leave the rest for others to analyze.  I believe
>> that in order to do this I need to get out of Bro the relevant
>> packets, either packet number or timestamp.  Given that information,
>> I would be able to run it through a script that would split the pcap
>> based on the output.  The added benefit of Bro is that it does some
>> additional analysis that could be useful for capture analysis.
> What exactly are the defining characteristics of your synthetic  
> traffic?

Our synthetic traffic is not any different than if a normal user was  
on a machine generating the traffic.  Meaning that we use IE to  
navigate to a page, and we use Windows File Browsing to look at  
network file shares.  Our TG is designed to be run on an isolated  
network, ala DETER, thus we setup a simulated internet, and other  
simulated networks.  Since we are creating these networks, we control  
server content, IP addresses, and host-names.  The belief that we  
have is that since we know what our content is (i.e. what is at a  
given website, or on a given file share) and we know when we tried to  
access the given data (we have our host agents log intent), that we  
can separate out our TG traffic.  In theory there is no defining  
characteristic of our synthetic traffic in the packet captures that  
we could make Bro or really any other packet analyzer look for,  
basically we do not set the evil bit.  However, with the additional  
knowledge of what the content is, and what a synthetic user was  
doing, we believe we can find our traffic.  After looking at the  
variables and other things that Bro policy language has, I believe I  
can construct the lookup tables for host_agent_events and  
web_content.  Therefore, I believe that I can create a policy script  
to "find" our traffic.  What I am not sure is that from the policy I  
can provide the information necessary to get our traffic out of the  
capture, i.e make a smaller capture with just the non-TG traffic.

Not sure if that answered you question Nicholas, but hopefully it  
clears some things up.


More information about the Bro mailing list