[Bro] P2P Traffic

Ron M. Jenkins rjenkins at rmjconsulting.net
Tue May 12 07:40:49 PDT 2015


Has any already set this to log to a file?


Thanks!


From: grigorescu at gmail.com [mailto:grigorescu at gmail.com] On Behalf Of Vlad Grigorescu
Sent: Tuesday, May 12, 2015 9:29 AM
To: Ron M. Jenkins
Cc: bro at bro.org List (bro at bro.org)
Subject: Re: [Bro] P2P Traffic

There are two parts to each analyzer - the traffic is parsed off the wire in the "core," which is what you showed in your screenshot, and events are generated. Then, Bro scripts handle the events to generate logs, raise notices, etc. Bro scripts also determine which analyzer will be enabled for a certain TCP or UDP connection. Bro protocol analyzers exist in several different states - most protocol analyzers have both core and script layer code, and get enabled properly. It's possible for an analyzer to be enabled, but not have any event handlers to actually *do* anything with the resulting data (I don't think there are any examples of this right now). Finally, the core parsing code could be present, but the analyzer isn't getting enabled, and there are no scripts either. Some analyzers fall into this third category (including bittorrent).

Everything in the screenshot should be getting compiled into Bro, and it's available for you to use, but some may require you to write custom scripts to enable the analyzer or generate logs. To see which analyzers are available in your complied version of Bro, you can run:

> % bro --print-plugins
> Bro::ARP - ARP Parsing (built-in)
> Bro::AYIYA - AYIYA Analyzer (built-in)
> Bro::BackDoor - Backdoor Analyzer deprecated (built-in)
> Bro::BitTorrent - BitTorrent Analyzer (built-in)
> Bro::ConnSize - Connection size analyzer (built-in)
> Bro::DCE_RPC - DCE-RPC analyzer (built-in)
> Bro::DHCP - DHCP analyzer (built-in)
> Bro::DNP3 - DNP3 UDP/TCP analyzers (built-in)
> ...

For example, if you want to enable the BitTorrent analyzer, you could write a dynamic-protocol detection signature for it like this:

> # site/bt_dpd.sig
> signature dpd_bittorrent {
>          ip-proto == tcp
>          payload /\x13BitTorrent protocol.\x00.\x00\x00/
>          enable "bittorrent"
> }

Then, in your site/local.bro, you could load this with "@load-sigs ./dpd.sig". This should be enough to start seeing BitTorrent P2P connections have the service field of conn.log set to "bittorrent." If you want to take this a step further, and start writing out a bittorrent.log file, you could then start handling the BitTorrent events: https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent

  --Vlad

On Tue, May 12, 2015 at 8:28 AM, Ron M. Jenkins <rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net>> wrote:

Good morning;



I see lots of protocol analyzers in the source, but not after complied and install.



How do I get all analyzers installed?





Thanks!





[cid:image001.png at 01D08C97.BAD0F0B0]



-----Original Message-----
From: bro-bounces at bro.org<mailto:bro-bounces at bro.org> [mailto:bro-bounces at bro.org<mailto:bro-bounces at bro.org>] On Behalf Of Doris Schioberg
Sent: Monday, May 11, 2015 11:31 AM
To: bro at bro.org<mailto:bro at bro.org>
Subject: Re: [Bro] P2P Traffic



Hi Ron,



it that what you are looking for:

https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent



Doris



On 5/11/15 9:15 AM, Ron M. Jenkins wrote:

> Good morning;

>

> Can Bro detected P2P traffic, specially Bitorrent?

>

>

> Thanks!

>

>

>

> Ron Jenkins (Owner / Senior Architect) RMJ Consulting, LLC. "Bringing

> Companies and Solutions Together"

> 11715 Bricksome Ave STE B-7

> Baton Rouge, LA 70816

> Toll: 855-448-5214<tel:855-448-5214>

> Direct. 225-448-5214<tel:225-448-5214> Ext #101

> Fax. 225-448-5324<tel:225-448-5324>

> Cell. 225-931-1632<tel:225-931-1632>

> Email. rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net%3cmailto:rjenkins at rmjconsulting.net>>

> Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/<http://www.rmjconsulting.net%3chttp:/www.rmjconsulting.net/>>

> Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/<http://www.logsiphon.com%3chttp:/www.logsiphon.com/>>

> Linkedin.

> www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkin<http://www.linkedin.com/in/ronmjenkins/%3chttp:/www.linkedin.com/in/ronmjenkin>

> s/>

> Twitter:

> www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting%3chttp:/www.twitter.com/RMJConsulting>>

> Facebook:

> www.facebook.com/rmjcsconsulting<http://www.facebook.com/rmjcsconsulti<http://www.facebook.com/rmjcsconsulting%3chttp:/www.facebook.com/rmjcsconsulti>

> ng> RMJ Consulting's Technology Corner.

> https://www.rmjconsulting.net/main/paper.php

>

>

>

>

> _______________________________________________

> Bro mailing list

> bro at bro-ids.org<mailto:bro at bro-ids.org>

> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

>



--

Doris Schioberg

Bro Outreach, Training, and Education Coordinator International Computer Science Institute (ICSI Berkeley)

Phone: +1 (510) 289-8406<tel:%2B1%20%28510%29%20289-8406> * doris at bro.org<mailto:doris at bro.org> _______________________________________________

Bro mailing list

bro at bro-ids.org<mailto:bro at bro-ids.org>

http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

_______________________________________________
Bro mailing list
bro at bro-ids.org<mailto:bro at bro-ids.org>
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/5ffe9d05/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 26807 bytes
Desc: image001.png
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/5ffe9d05/attachment-0001.bin 


More information about the Bro mailing list