[Bro] Packet Level Analysis
Hosom, Stephen M
hosom at battelle.org
Wed Aug 6 07:49:33 PDT 2014
The sorts of places where I see this being useful are well served by the Signatures framework.
The traceroute detector in policy/misc is a pretty good example of this ‘sort’ of thing.
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Gehana Booth
Sent: Wednesday, August 06, 2014 9:13 AM
To: bro at bro.org
Subject: [Bro] Packet Level Analysis
This is probably a very silly question, but I just wanted to get some opinions. Is it possible/feasible to do packet level analysis with bro (e.g., looking at the entire packet as a string to find similar patterns between packets)? Or is bro too high-level to make this an option, as it seems that the relevant events (new_packet, packet_contents, etc.) are exceedingly slow.
If this is possible, however, would I be able to do this in bro scripts or would I need to do something like write the module in C/C++ to hook into bro?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro