[Bro] Questions about Bro Capabilities
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Wed Oct 3 07:36:24 PDT 2007
On Wed, Oct 03, 2007 at 10:04:33AM -0400, Reed Porada composed:
> > No, not really. The main problem here is that the link between most
> > event handlers and the actual packets is pretty weak. In general,
> > Bro does not give guarantees about when a particular event is raised
> > and also doesn't keep track which packet triggered it. There's a
> > function called get_current_packet() which returns the packet Bro
> > currently munching on but when script code is running it's hard to
> > predict which packet that actually is.
Although for events which are effectively instentanious (eg, the ones
created directly and indirectly by the protocol parsing),
get_current_packet() will be PART of the current stream, but due to
reordering issues, may not be the last packet in the current stream in
TCP sequence order.
> I am working on a Traffic Generator (TG) project. Our TG has static
> content for webpages and fileshares. In addition, we know when our
> TG hosts attempt to access that data. Given those to things, I want
> to be able to take a network capture, run it through a system and
> separate out traffic that we know our TG generated, by correlating
> intent and traffic content, and other traffic on the network. The
> end goal being smaller and more relevant network captures for an
> analyst. In order to do this I want to try and leverage others
> protocol analyzers and parsers. Bro seems to be a good choice as I
> believe through a policy and some pregenerated variables (based on
> the content and host intent) I can validate given traffic to be from
> our TG system, and leave the rest for others to analyze. I believe
> that in order to do this I need to get out of Bro the relevant
> packets, either packet number or timestamp. Given that information,
> I would be able to run it through a script that would split the pcap
> based on the output. The added benefit of Bro is that it does some
> additional analysis that could be useful for capture analysis.
What exactly are the defining characteristics of your synthetic traffic?
--
Nicholas C. Weaver nweaver at icsi.berkeley.edu
This message has been ROT-13 encrypted twice for higher security.
More information about the Bro
mailing list