[Bro] A lower level interface
haoscs at gmail.com
Tue Oct 10 12:28:53 PDT 2017
> It sadly is really a bit hard to tell what exactly the best starting point
> is without knowing the exact problem. You mention connection activities -
> does that mean activities inside the same connection or activities within
> different connetions?
> If it is the latter - you could potentially use signatures to identify
> "interesting" connections and use Bro script level events to tie
> cross-connection information together.
Johanna, thanks for your patient and detailed replies.
I think it is the latter. For example, some external connections (let's say
a HTTP Get/Post to server A, with a binary string with signature S1) will
raise some activities of local network components B and C, where the
traffic is associated with a signature S2. Then we would like to *learn*
such a pattern (HTTP_Get/Post_A, S1, B, C, S2) as a pattern signature. So
we consider "tokenize" the byte stream to extract and cluster the strings
from raw payload.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro