<div class="gmail_quote"><div>Hi Robin, <br><br>Thanks for the quick reply! <br><br>Just for more context: What I have is a application-level byte-stream in both directions which is already re-assembled and sequenced. I would like to use the trace anonymization (by Ruoming Pang et. al.) which strips out user-sensitive information from a given trace according to a user-provided script. I also need to do this in an online fashion. <br>
<br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
> 1. Cook up fake link-layer, TCP,IP headers, and feed Bro via a FIFO.<br>
<br>
</div>That seems to be the easiest option for an implementation as you<br>
wouldn't need to dive into Bro but could write the conversion<br>
completely externally. Also, with tools like tcpdump etc. you could<br>
quickly see if things look like they're supposed to. However, I'm<br>
not sure I fully understand in which format your input is in<br>
exactly, so not sure how easy it would be to turn it into fake<br>
packets (e.g., is it already reassembeled or still packetized?).<br>
<div class="Ih2E3d"></div></blockquote><div><br>Well, actually cooking up the fake headers should be simple, since my data stream is already reassembled, and only needs to wrapped up in the appropriate TCP and IP headers, along with some fake SYNs, SYNACKs, and FINs. I didn't really like the idea of cooking up fake stuff, since I don't really want Bro to do analysis on these fake headers. But, as you say, this is probably the simplest option for me. <br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d"><br>
> 2. Use Brocolli to send really low-level events (events being "so and so<br>
> bytes seen on so and so conn").<br>
<br>
</div>Won't really work because Bro doesn't have any events which are so<br>
low-level. All its events are coming out of the packet/payload<br>
analysis, they aren't any which provide input for it. (You could add<br>
some of your on to feed your data into Bro protocol processing via<br>
Broccoli but that wouldn't be too different from faking packets as<br>
in (1).)</blockquote><div><br>Oh, I see. <br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
> 3. Use the Bro source code directly, and somehow instantiate an analyzer<br>
> directly on the byte-stream. Any state needed (such as connection endpoints)<br>
> have to be cooked up.<br>
<br>
</div><br>That's an interesting thought. I don't have an immediate opinion on<br>
how difficult this would be. My guess is that you'd quickly be<br>
running into lots of subtle problems with lacking the state you need<br>
to keep the analysis going and which is hard to cook up. That said,<br>
if you're game to dive into Bro's internals for such a solution, you<br>
could just give it a try. However, I wouldn't spend too much time on<br>
it if it turns out to get problematic (and again at lot of this<br>
depends on how *exactly* your input looks like).<br>
</blockquote><div><br>Oh, I see. I have been nosing around the source code to figure this out, and the new DPD framework seems fairly subtle to get right. As you say, I will probably do this for some more time, and then go to the fake header option.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">One other thought: which applications are you interested in? If it's<br>
only a few and there happen to be binpac analyzers for them, you<br>
could write a standalone program feeding your data into these binpac<br>
analyzers.</blockquote><div><br>Well, I would like it to be as general as possible (since the application-level stream is coming from a decrypted SSL connection, which may be in use by any application), which is why I thought of leveraging Bro's broad support rather than BinPac support. Also, the anonymization script (by Pang et al) relies on the event processing of Bro, and so again, I need to run the trace through Bro to get those events. <br>
</div><div> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Final note: you mention that you want to rewrite the content: I'm<br>
not very familiar with that part of Bro but I'm guessing it also has<br>
quite a few dependencies on having packets as input.</blockquote><div> <br>Yes, Pang's scripts maintain a lot of application-level state in doing the anonymization, which is why I need to run them through Bro. <br>
<br>Once again, thanks for the quick reply. <br><br>Thanks,<br>Jayanth</div></div>