[Bro] Offline/Tracefile Traffic Classification with Bro
isara.a at gmail.com
Tue Oct 21 14:33:38 PDT 2008
I am completely new to Bro and have a few *naive* questions.
I have already tried to find the answer myself but to no avail.
I have to classify and isolate Internet traffics (or Internet flows)
which are stored in several trace files which are stored in compressed
For instance, given a trace file A, and a specific protocol, say, SSH,
what I have to do is generate another trace file which contains only
SSH packets from the trace A.
I do not need the SSH trace file automatically.
But I need at least the 5-tuple of the SSH flows that reside in the
trace A so that I can extract the SSH packets later.
As far as I understand from Bro wiki, Bro can recognize flows from the
tcpdump traces which is the same as pcap trace.
(Here is where I found it:
Here are the questions:
1) Can I somehow obtain the flows or packets in the flows that match
some certain Bro rules and isolate them?
2) If so, how to do it? I have looked through online documents but
cannot get a concrete answer.
3) If not, can I at least identify which flows that match the rules?
4) Is there any rules-repository for Bro (like Snort rules)?
Thank you very much. :)
More information about the Bro