[Bro] Using Dynamic protocol detection to create a HTTP trace
Robin Sommer
robin at icir.org
Wed Jan 31 09:18:40 PST 2007
On Mon, Jan 29, 2007 at 21:42 -0600, you wrote:
> Given a trace with all traffic, is it possible to use Bro to produce a
> trace with just the HTTP traffic? Any hints would be appreciated.
No, not directly (one of the reasons is that DPD may take the
decision whether a connection uses HTTP only after a couple of
packets have already passed; it buffers the payload so that it can
still analyze the full HTTP session but it does not keep the headers
so that they could be written out into another trace file).
But perhaps you can use Bro to find all the HTTP connections and
then extract them in a second post-processing step. Either you
browse through the notices reported, or you add an event handler for
protocol_confirmation (also see detect-protocols.bro) which then
adds some tag to the connection summaries in conn.log .
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list