[Bro] Bro handling of Microsoft BITS traffic
seth at icir.org
Mon Feb 29 12:51:56 PST 2016
> On Feb 29, 2016, at 12:44 PM, Josh Guild <josh.guild at morphick.com> wrote:
> I have a question about how Bro handles Micorsoft BITS (Background Intelligent Transfer Service) traffic since the file is only partially downloaded in the session it's monitoring. We've seen some traffic and it looks like Bro just shows as an incomplete file and doesn't carve it properly.
There is actually some support in the file analysis code to handle this type of situation. It *probably* already works if the BITS traffic you are seeing is in a pcap file or seen by a single Bro worker. We don't have anything in place yet to do extraction from traffic hitting multiple workers. This is also a bit of a weird feature because none of the other network monitoring software that's around does this.
I would be interested in how you see Bro handling the traffic if you have a pcap file with the full transfer happening over multiple connections to see if Bro extracts the file correctly. It's possible that they've changed things a bit I worked with it last.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro