[Bro] Questions about Bro Capabilities
Robin Sommer
robin at icir.org
Wed Oct 3 09:51:43 PDT 2007
On Wed, Oct 03, 2007 at 08:26 -0700, Nicholas Weaver wrote:
> For offline processing, do a two-pass approach. In the first pass,
> you use Bro to find the TG flows based on the higher-level attributes,
> and write out the flow IDs. For the second pass, only capture the
> flows which don't correspond.
Yeah, that was my thought too. (This is an offline scheme, isn't it?)
If I understood your approach correctly, you depend on
application-layer analysis to find "your" traffic. In that case,
doing it in a single pass would likely miss packets because you
might only be able to take the decision some way into the stream.
At the same time it also sounds like you're always cutting out
complete flows rather than just individual packets. So, a two-pass,
flow-based approach sounds indeed reasonable.
Does this make any sense?
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list