[Bro] Automated Identification of Notice/Alarm Generating Packets

rmkml rmkml at free.fr
Mon Nov 9 01:49:52 PST 2009

Hi Rob,
I don't known if bro write (-w) exactly then snort,
but bro have another good options:
-all (http) log contains unix timestamp and http session number
-http log contains uri request and http code reply
-http mime extract/decoding/parsing (zip)
-dont miss binpac and dpd option for recognize http trafic on all port (require bpf filters)
-bro http/http-request/http-request-body/http-reply-body/http-body/http-request-header/http-reply-header option
-powerfull bro script language

On Mon, 9 Nov 2009, Rob Shanley wrote:

> Hi Bro List,
> I am new to bro and I'm trying to find out if there is an easy / automated
> way to identify the packets that triggered a notice/alarm. I am focused on
> offline-analysis. For example can you use a technique to read/write, ex. -r
> a.pcap -w b.pcap, where a.pcap contains all traffic and b.pcap contains all
> traffic that triggered an alarm or conversely all traffic that did not
> trigger an alarm? This would be similar to how snort writes a pcap log of
> suspect traffic. If this is not possible is there sufficient information in
> the logs to identify individual packets that triggered an alarm/notice? And
> are there any bundled tools for faciliating this process? I am focused on
> http traffic.
> Essentialy my goal is to pass large sets of data through bro and segregate
> the traffic into either clean or suspect subsets. I have done some searching
> on the wiki but it seems that most of my leads bring me to the "Reference
> Manual: Missing Documentation" page.
> I greatly appreciate any guidance you can provide!
> Thanks,
> -Rob

More information about the Bro mailing list