[Bro] Offline/Tracefile Traffic Classification with Bro

Isara Anantavrasilp isara.a at gmail.com
Thu Oct 30 10:10:48 PDT 2008


Thanks for the advice and sorry for the late reply.
I have looked into wireshark even before Bro.
The problem that I have is that I have to classify the flows in
several extra-large traces.
And it cannot be done without some automated tools.

Up to now I have written a simple classifier based on libtrace but I
am not sure if my own signatures (as well as the algorithm) are valid.
And since Bro is designed to do the classification and it already has
signatures available.
I am hoping that with Bro mechanism, I can classify packets/flows
easier with higher accuracy.

-- Isara

On Thu, Oct 23, 2008 at 6:23 AM, rmkml <rmkml at free.fr> wrote:
> Hi Isara,
> maybe check with ngrep or wireshark, this last support pcap compressed
> file+heuristic/filter dissectors...
> Regards
> Rmkml
> Crusoe-Researches.com
> On Thu, 23 Oct 2008, Isara Anantavrasilp wrote:
>> Date: Thu, 23 Oct 2008 00:07:23 +0200
>> From: Isara Anantavrasilp <isara.a at gmail.com>
>> To: Robin Sommer <robin at icir.org>
>> Cc: bro at ICSI.Berkeley.EDU
>> Subject: Re: [Bro] Offline/Tracefile Traffic Classification with Bro
>> Hi,
>> thanks a lot for the answer.
>> That  is what I am looking for, but not entirely.
>> As far as I understand from the syntax, it pushes every packet that
>> has TCP port 22 into Bro.
>> Bro then summarizes the connections in the conn.log (using tcp policy).
>> And you are right, I want just the packets so that I can process later.
>> However, it might work with SSH, but the reason I need Bro here is
>> that some applications that I am interested in require payload
>> signatures.
>> And even though it is SSH, I would like to be sure that it is actually
>> SSH (by analyzing the payload not just port number).
>> I just found out that with switch "-w <writefile>", Bro can output the
>> packets.
>> If I use sth like
>> bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro,
>> would Bro return packets of all flows that match the policy in
>> somesignature.bro?
>> Another question, can Bro handle the compressed trace file by itself
>> or I always have to use zcat?
>> Thank you very much!
>> -- Isara
>> On Wed, Oct 22, 2008 at 11:41 PM, Robin Sommer <robin at icir.org> wrote:
>>> On Tue, Oct 21, 2008 at 23:33 +0200, you wrote:
>>>> For instance, given a trace file A, and a specific protocol, say, SSH,
>>>> what I have to do is generate another trace file which contains only
>>>> SSH packets from the trace A.
>>>> I do not need the SSH trace file automatically.
>>>> But I need at least the 5-tuple of the SSH flows that reside in the
>>>> trace A so that I can extract the SSH packets later.
>>> Is this what you're looking for?
>>> zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log
>>> Or if you need just the packets, skip Bro alltogether.
>>> Robin
>>> --
>>> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
>>> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list