[Bro] Traffic analysis by Bro
Robin Sommer
robin at icir.org
Sat Nov 11 10:09:16 PST 2006
On Fri, Nov 10, 2006 at 12:47 -0600, Abhinay Kampasi wrote:
> So suppose my script wants to analyze only interactive traffic (for example
> telnet, ssh), it will be have to explicitly ignore all packets not on ports
> 22/23 because the capture filter may have been modified by other scripts to
> capture other traffic.
Hmm... Yes and no. Yes because in terms of filtering Bro does not
keep track not which traffic is requested which script. But no
because you script will contain event handlers to implement your
detection logic. Many (though not all) events are thrown by
application-specific analyzers which only analyze "their" traffic.
E.g., the HTTP analyzer looks only at HTTP connections and thus
you're only going to see HTTP events for traffic on port 80 (or
whichever port it happens to use).
So, the bottom-line is that it depends on which events you're going
to analyze. Depending on that, you may or may not need to filter out
events which are irrlevant for you.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list