[Bro] "Faking" connections and http records
jmellander at lbl.gov
Fri Mar 22 14:18:29 PDT 2013
Well, its unfortunate that we can't feed in data from other sources
and subject it to the same policies that network traffic is subject
In the meantime, I may just write some code that fakes the data into
pcap files that can be read by bro directly.
On Fri, Mar 22, 2013 at 1:54 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 22, 2013, at 4:04 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
>> Does anyone have suggestions on how to proceed with this?
> It wouldn't work very well. :)
> Nearly all of the detections rely on the various http_ events. I would go down a slightly different route with logs than I would with raw traffic. This is something that I've been talking about for quite a while and I suspect something related to happen in the next year.
> I think it's really cool that you're importing logs into Bro!
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
More information about the Bro