[Bro] BitTorrent protocol analyzer help

Seth Hall seth at icir.org
Mon Oct 6 20:42:15 PDT 2014

On Oct 6, 2014, at 10:07 PM, Nick Pratley <npratley at redhat.com> wrote:

> Hi, I need some help with the BitTorrent protocol analyzer. My aim is to log info_hash values for
> files downloaded over bittorrent.

The bittorrent analyzer has undergone some bitrot and doesn't currently have scripts that enable it.

> I can see bittorrent-related events in base/bif/plugins/Bro_BitTorrent.events.bif.bro but these
> events don't seem to be getting raised.

If you look at the base scripts for other protocols, you will see where the analyzer is attached to connections by a port heuristic or by a signature heuristic in the accompanying .sig file (in scripts/base/protocols/xxx/).

Generally, unless you're prepared to do some heavier core and scriptland work, bittorrent isn't going to be something you can just use right now.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list