[Bro] Packet Level Analysis

Seth Hall seth at icir.org
Wed Aug 6 09:20:05 PDT 2014

On Aug 6, 2014, at 9:12 AM, Gehana Booth <GehanaBooth at cmail.carleton.ca> wrote:

> Or is bro too high-level to make this an option, as it seems that the relevant events (new_packet, packet_contents, etc.) are exceedingly slow.

Bro is unfortunately too high level to this right now.  There are a few things being worked on that might provide better interfaces for doing this analysis but they aren't functional yet. (bro script compiler and binpac++)

> would I need to do something like write the module in C/C++ to hook into bro?

You could certainly write something like that.  Our analyzers are abstracted in our repository so it should be fairly easy to see how they're constructed and to write your own, assuming you're comfortable with c/c++.  We definitely recognize that falling back to c/c++ is suboptimal though, but at the moment it's all we have to solve your problem well.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/f7e6d8c8/attachment.bin 

More information about the Bro mailing list