[Bro] Questions about Bro Capabilities

Reed Porada rporada at ll.mit.edu
Wed Oct 3 07:04:33 PDT 2007


On Sep 26, 2007, at 9:43 PM, Robin Sommer wrote:

>
> On Wed, Sep 26, 2007 at 15:16 -0400, you wrote:
>
>> 1) Is it possible to denote particular packets in a capture?  I know
>
> No, not really. The main problem here is that the link between most
> event handlers and the actual packets is pretty weak. In general,
> Bro does not give guarantees about when a particular event is raised
> and also doesn't keep track which packet triggered it. There's a
> function called get_current_packet() which returns the packet Bro
> currently munching on but when script code is running it's hard to
> predict which packet that actually is.
>
> The only event which directly refers to packets is new_packet() but
> using that is expensive because it is raised for *all* packets.
>
> That said, perhaps we might be able to come up with some idea if you
> sketch in a bit more detail what you're trying to achieve.
>

I am working on a Traffic Generator (TG) project.  Our TG has static  
content for webpages and fileshares.  In addition, we know when our  
TG hosts attempt to access that data.  Given those to things, I want  
to be able to take a network capture, run it through a system and  
separate out traffic that we know our TG generated, by correlating  
intent and traffic content, and other traffic on the network.  The  
end goal being smaller and more relevant network captures for an  
analyst.  In order to do this I want to try and leverage others  
protocol analyzers and parsers.  Bro seems to be a good choice as I  
believe through a policy and some pregenerated variables (based on  
the content and host intent) I can validate given traffic to be from  
our TG system, and leave the rest for others to analyze.  I believe  
that in order to do this I need to get out of Bro the relevant  
packets, either packet number or timestamp.  Given that information,  
I would be able to run it through a script that would split the pcap  
based on the output.  The added benefit of Bro is that it does some  
additional analysis that could be useful for capture analysis.

Is that a better sketch?  Any thoughts?

Thanks in advance,
-Reed



More information about the Bro mailing list