[Bro] BitTorrent protocol analyzer help
seth at icir.org
Mon Oct 6 20:42:15 PDT 2014
On Oct 6, 2014, at 10:07 PM, Nick Pratley <npratley at redhat.com> wrote:
> Hi, I need some help with the BitTorrent protocol analyzer. My aim is to log info_hash values for
> files downloaded over bittorrent.
The bittorrent analyzer has undergone some bitrot and doesn't currently have scripts that enable it.
> I can see bittorrent-related events in base/bif/plugins/Bro_BitTorrent.events.bif.bro but these
> events don't seem to be getting raised.
If you look at the base scripts for other protocols, you will see where the analyzer is attached to connections by a port heuristic or by a signature heuristic in the accompanying .sig file (in scripts/base/protocols/xxx/).
Generally, unless you're prepared to do some heavier core and scriptland work, bittorrent isn't going to be something you can just use right now.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro