[Bro] Traffic analysis by Bro
Abhinay Kampasi
abhinay at cs.utexas.edu
Fri Nov 10 10:47:02 PST 2006
Thanks Robin,
So suppose my script wants to analyze only interactive traffic (for example
telnet, ssh), it will be have to explicitly ignore all packets not on ports
22/23 because the capture filter may have been modified by other scripts to
capture other traffic.
Regards,
Abhinay
-----Original Message-----
From: Robin Sommer [mailto:robin at icir.org]
Sent: Friday, November 10, 2006 11:11 AM
To: Abhinay Kampasi
Cc: bro at bro-ids.org
Subject: Re: [Bro] Traffic analysis by Bro
On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote:
> What traffic does Bro monitor by default (i.e. what pcap capture filter
> does it use)?
It builds the pcap filter dynamically at startup depending on which
scripts you load. Just load the script print-filter to see how it
looks like in your particular setup.
> Does this modify the global filter? I mean do all the policy scripts
> (and not only my script) see the SSH traffic?
Yes. Yes. There's always only one pcap filter in use.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list