[Bro] "Faking" connections and http records

Jim Mellander jmellander at lbl.gov
Fri Mar 22 14:18:29 PDT 2013

Well, its unfortunate that we can't feed in data from other sources
and subject it to the same policies that network traffic is subject

In the meantime, I may just write some code that fakes the data into
pcap files that can be read by bro directly.

On Fri, Mar 22, 2013 at 1:54 PM, Seth Hall <seth at icir.org> wrote:
> On Mar 22, 2013, at 4:04 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
>> Does anyone have suggestions on how to proceed with this?
> It wouldn't work very well. :)
> Nearly all of the detections rely on the various http_ events.  I would go down a slightly different route with logs than I would with raw traffic.  This is something that I've been talking about for quite a while and I suspect something related to happen in the next year.
> I think it's really cool that you're importing logs into Bro!
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

More information about the Bro mailing list