[Bro] Questions about Bro Capabilities
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Thu Oct 4 08:07:42 PDT 2007
On Thu, Oct 04, 2007 at 11:03:07AM -0400, Reed Porada composed:
> >Does this make any sense?
>
> In general I understand what you and Nick have proposed. I do not
> know how to get the flow-ids out. Are the http_request_stream$id's
> unique? One thing that was suggested by a co-worker after looking at
> the output, is that we have a timestamp, src ip/port, dst ip/port.
> In general within a pcap that is sufficient for identifying a packet,
> my guess as to why you have not suggested this option is that the
> network_time() that is being used in output does not relate to the
> stream. Is there anyway to get that to have a closer correlation to
> the stream? I am also curious as to how to interpret the output from
> http-body. What does each printout from http_entity_data events
> represent? Is it a new packet, or an update to the stream that could
> be the sum of an arbitrary number of packets?
with most hosts, the 5-tuple should be unique (SRC ip/port,DST
ip/port,proto). So just record the 5-tuple of anything to exclude in
a file, and then use that file in the second pass to filter out those
connections.
More information about the Bro
mailing list