[Bro] A lower level interface

Johanna Amann johanna at icir.org
Tue Oct 10 11:50:59 PDT 2017

Hi again,

> The thing we are planing to do is similar to the [protocol reverse
> engineering + traffic pattern recognition]; so we consider that we may need
> the lower level interface to inspect the byte stream since the patterns
> that we want to identify (e.g., a serious of connection activities) would
> involve various protocols.

It sadly is really a bit hard to tell what exactly the best starting point
is without knowing the exact problem. You mention connection activities -
does that mean activities inside the same connection or activities within
different connetions?

If it is the latter - you could potentially use signatures to identify
"interesting" connections and use Bro script level events to tie
cross-connection information together.

If signatures for some reason are not enough, it depends a bit on your
traffic. If you only want this to run in rather low-traffic environments,
it might be ok to use the low-level events like tcp_payload. If not - your
only choice quickly becomes to write a C++ analyzer, which then once again
can raise events. You even can write several analyzers, one which only
tries to deduce if a connection is interesting, which then in turn can
forward data to more specific analyzers if interesting data is found.

I hope that helps; I am sorry that I am not more specific, but given that
I still don't 100% understand what you are trying to do this is the best I
can do.


> We do have the signature part to accomplish the payload matching. But it
> may be not sufficient when we consider the traffic recognition (e.g.,
> generating a signature that involve various protocols and network
> components).
> Thanks for your relies. It do helps much.
> On Tue, Oct 10, 2017 at 2:22 PM, Johanna Amann <johanna at icir.org> wrote:
> > > Basically I am looking for an interface by which we can examine and
> > extract
> > > the features of byte stream (or strings) from the traffic (TCP payload),
> > > and then we will feed the stream to our analyzer (e.g., via BinPac).
> > > Currently I am looking at the tcp_contents; I think it might be
> > sufficient
> > > so I don't have to use tcp_packet or new_packet.
> >
> > I still don't quite get what you are planning to do here. Do you plan to
> > do some kind of signature to figure out that something is a specific
> > protocol (so match certain byte sequences)? Or do you really want to do
> > something more complex that needs scripting?
> >
> > tcp_contents is probably less expensive than the other named choices, but
> > it probably still is pretty heavyweight.
> >
> > Johanna
> >

More information about the Bro mailing list