[Bro] Questions about Bro Capabilities

Reed Porada rporada at ll.mit.edu
Wed Sep 26 12:16:23 PDT 2007

I am looking at extending Bro to help with traffic isolation.  What I  
need to be able to do is differentiate between traffic that matches a  
given set of criteria and that which does not.  In general, I know  
this can be done through the policies, and I believe I can do most of  
what I want within a policy.  There are a few things that from  
reading the documentation and some initial policy testing that I am  
not certain about.

1) Is it possible to denote particular packets in a capture?  I know  
most of the analysis is done on a flow/connection basis, but I was  
wondering if any information regarding the pcap was kept in the  
streams/records that are passed?

2) Is it possible to get the content from http sessions?  I want to  
be able to validate that the content is that which I know to be on a  
given site.  I know there is a content_length and data_length values  
in the http_message record type, but I do not see much relating to  
the actual content.

Thanks for any help,

More information about the Bro mailing list