[Bro] Questions about Bro Capabilities
robin at icir.org
Wed Sep 26 18:43:02 PDT 2007
On Wed, Sep 26, 2007 at 15:16 -0400, you wrote:
> 1) Is it possible to denote particular packets in a capture? I know
No, not really. The main problem here is that the link between most
event handlers and the actual packets is pretty weak. In general,
Bro does not give guarantees about when a particular event is raised
and also doesn't keep track which packet triggered it. There's a
function called get_current_packet() which returns the packet Bro
currently munching on but when script code is running it's hard to
predict which packet that actually is.
The only event which directly refers to packets is new_packet() but
using that is expensive because it is raised for *all* packets.
That said, perhaps we might be able to come up with some idea if you
sketch in a bit more detail what you're trying to achieve.
> 2) Is it possible to get the content from http sessions?
Yes, that's possible. The event for this is http_entity_data(); see
http-body.bro for an example that logs HTTP content into http.log.
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro