[Bro] "Faking" connections and http records

Jim Mellander jmellander at lbl.gov
Fri Mar 22 13:04:37 PDT 2013

Hi all:

I'm in the process of processing our syslogs for apache logs (which
will allow us visibility into ssl sessions into our webservers), and
am at the point where I am able to import the data into bro using the
input framework.  There's enough data to fill in most of a connection
record, and to fake other stuff.  What would be really cool would be
to create a connection record, and have it go thru the normal
processing, feed the http data in for processing via the standard http
processes, and close down the connection.  This would allow for
standard logging, and standard IDS processes to act upon this info.

Does anyone have suggestions on how to proceed with this?

Thanks in advance,

Jim Mellander
NERSC Cybersecurity

More information about the Bro mailing list