[Bro] Questions about Bro Capabilities

Nicholas Weaver nweaver at ICSI.Berkeley.EDU
Wed Oct 3 07:36:24 PDT 2007 

On Wed, Oct 03, 2007 at 10:04:33AM -0400, Reed Porada composed:
> > No, not really. The main problem here is that the link between most
> > event handlers and the actual packets is pretty weak. In general,
> > Bro does not give guarantees about when a particular event is raised
> > and also doesn't keep track which packet triggered it. There's a
> > function called get_current_packet() which returns the packet Bro
> > currently munching on but when script code is running it's hard to
> > predict which packet that actually is.

Although for events which are effectively instentanious (eg, the ones
created directly and indirectly by the protocol parsing),
get_current_packet() will be PART of the current stream, but due to
reordering issues, may not be the last packet in the current stream in
TCP sequence order.

> I am working on a Traffic Generator (TG) project.  Our TG has static  
> content for webpages and fileshares.  In addition, we know when our  
> TG hosts attempt to access that data.  Given those to things, I want  
> to be able to take a network capture, run it through a system and  
> separate out traffic that we know our TG generated, by correlating  
> intent and traffic content, and other traffic on the network.  The  
> end goal being smaller and more relevant network captures for an  
> analyst.  In order to do this I want to try and leverage others  
> protocol analyzers and parsers.  Bro seems to be a good choice as I  
> believe through a policy and some pregenerated variables (based on  
> the content and host intent) I can validate given traffic to be from  
> our TG system, and leave the rest for others to analyze.  I believe  
> that in order to do this I need to get out of Bro the relevant  
> packets, either packet number or timestamp.  Given that information,  
> I would be able to run it through a script that would split the pcap  
> based on the output.  The added benefit of Bro is that it does some  
> additional analysis that could be useful for capture analysis.

What exactly are the defining characteristics of your synthetic traffic?

-- 
Nicholas C. Weaver                               nweaver at icsi.berkeley.edu
     This message has been ROT-13 encrypted twice for higher security.

More information about the Bro mailing list