[Bro] Questions about Bro Capabilities

Robin Sommer robin at icir.org
Wed Oct 3 09:51:43 PDT 2007

On Wed, Oct 03, 2007 at 08:26 -0700, Nicholas Weaver wrote:

> For offline processing, do a two-pass approach.  In the first pass,
> you use Bro to find the TG flows based on the higher-level attributes,
> and write out the flow IDs.  For the second pass, only capture the
> flows which don't correspond.

Yeah, that was my thought too.  (This is an offline scheme, isn't it?)

If I understood your approach correctly, you depend on 
application-layer analysis to find "your" traffic. In that case,
doing it in a single pass would likely miss packets because you
might only be able to take the decision some way into the stream. 

At the same time it also sounds like you're always cutting out
complete flows rather than just individual packets.  So, a two-pass,
flow-based approach sounds indeed reasonable. 

Does this make any sense?


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list