[Bro] Traffic analysis by Bro

Christian Kreibich christian at whoop.org
Sat Nov 11 12:20:18 PST 2006


On Fri, 2006-11-10 at 12:47 -0600, Abhinay Kampasi wrote:
> Thanks Robin,
> 
> So suppose my script wants to analyze only interactive traffic (for example
> telnet, ssh), it will be have to explicitly ignore all packets not on ports
> 22/23 because the capture filter may have been modified by other scripts to
> capture other traffic.

Abhinay, you don't need to worry about this: the semantic level at which
you're writing your script is far beyond the pcap filter specification.

Typically you will write your script based on event types that are
relevant to the traffic you are interested. For example, in the case of
an SSH policy script, you might implement handlers for the
ssh_client_version() and ssh_server_version() events, which only ever
get triggered for SSH traffic (potentially in a port-independent fashion
thanks to the new dynamic protocol detection framework).

Think of it this way: you configure Bro using a number of policy
scripts. These scripts together (and through other scripts they @load)
make sure that Bro captures all traffic and only the traffic necessary
to trigger the events you are interested in. At the same time, no events
can ever be triggered (with some caveats) on traffic they are not meant
for.

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org




More information about the Bro mailing list