[Bro] Questions about Bro Capabilities
rporada at ll.mit.edu
Wed Sep 26 12:16:23 PDT 2007
I am looking at extending Bro to help with traffic isolation. What I
need to be able to do is differentiate between traffic that matches a
given set of criteria and that which does not. In general, I know
this can be done through the policies, and I believe I can do most of
what I want within a policy. There are a few things that from
reading the documentation and some initial policy testing that I am
not certain about.
1) Is it possible to denote particular packets in a capture? I know
most of the analysis is done on a flow/connection basis, but I was
wondering if any information regarding the pcap was kept in the
streams/records that are passed?
2) Is it possible to get the content from http sessions? I want to
be able to validate that the content is that which I know to be on a
given site. I know there is a content_length and data_length values
in the http_message record type, but I do not see much relating to
the actual content.
Thanks for any help,
More information about the Bro