[Bro] nprobe, ngrep, tcpdump and tcpflow -like behavior of BRO ids?
seth at icir.org
Mon Dec 12 10:15:51 PST 2011
On Dec 12, 2011, at 11:08 AM, Panos Sakkos wrote:
> nprobe => convert raw network traffic to netflow format
Bro doesn't output netflow, but we have a connection analyzer and scripts that output a file named conn.log which is similar but with more information.
> ngrep => extract fields from incoming and outgoing HTTP traffic (url, referer, …)
I don't know if I would say that is a capability of ngrep. I guess in some cases it works for that, but the Bro 2.0 beta does a much better job.
> tcpdump => store size-limited TCP session (for an incoming SSH connection for example)
tcpdump doesn't even do this (that I know of). We have a tool named Time Machine that can do this and more though. It should be getting more attention and work done on it soon too.
> tcpflow => reconstruct TCP flows for given sessions (given source ip for example)
Try the 2.0 beta from our site. It's much easier to begin using that the current 1.5 release. You should be able to have some output in just a few minutes. Our quick start guide is available here:
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro