[Bro] Stream Extraction from Scriptland
anthony.kasza at gmail.com
Tue Sep 23 07:35:33 PDT 2014
I agree with your point on scalability and look forward to the TimeMachine
It does seem that set_record_packets only works on TCP data packets,
though. I'm not sure if thats an issue with the function or with the
documentation about the function.
The script I included sets all new connection's to false with
set_record_packets, then sets connections to true from the
connection_state_remove event if they contain DNS. The notes.txt file shows
the bro command I ran (including the -w option) against the sample.pcap
file, included previously, to produce a new trace file with unexpected
Is this a bug in the function or am I reading the doc incorrectly? Thanks
On Sep 23, 2014 5:42 AM, "Seth Hall" <seth at icir.org> wrote:
> On Sep 22, 2014, at 10:27 PM, anthony kasza <anthony.kasza at gmail.com>
> > I supposed my root question is this: is there a way to use Bro
> > scripting to identify a connection of interest and have it written to
> > disk (either with the exec framework or with set_record_packet)
> > instead of including dumb BPFs with Bro's invocation?]
> That's one of the features of the TimeMachine framework that I haven't
> finished yet. :)
> You can use the set_record_packets BiF as you found too, but that requires
> that you are running Bro with the -w flag to write packets to disk.
> Ultimately I think that something like the TimeMachine approach is the most
> scaleable because you could even do your bulk packet recording on a
> separate device and just have Bro communicate to it when you want to
> extract some packets (even going back in time).
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro