[Bro] Stream Extraction from Scriptland

Seth Hall seth at icir.org
Tue Sep 23 05:42:32 PDT 2014

On Sep 22, 2014, at 10:27 PM, anthony kasza <anthony.kasza at gmail.com> wrote:

> I supposed my root question is this: is there a way to use Bro
> scripting to identify a connection of interest and have it written to
> disk (either with the exec framework or with set_record_packet)
> instead of including dumb BPFs with Bro's invocation?]

That's one of the features of the TimeMachine framework that I haven't finished yet. :)

You can use the set_record_packets BiF as you found too, but that requires that you are running Bro with the -w flag to write packets to disk.  Ultimately I think that something like the TimeMachine approach is the most scaleable because you could even do your bulk packet recording on a separate device and just have Bro communicate to it when you want to extract some packets (even going back in time).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list