[Bro] help regarding using bro on application-level byte stream

Jayanth Kannan kjk at eecs.berkeley.edu
Wed Apr 23 06:29:30 PDT 2008


Hi,

I have a question regarding running Bro on a application-level TCP byte
stream, and was wondering which implementation option to choose. Any help is
much appreciated! Details below.

I have access to a application-level byte stream (eg: say, a http session
consisting of http put and get packets) that I would like to run Bro on it
in an online fashion (I specifically plan to use its trace anonymization
capabilities). I do not have access to the corresponding TCP byte stream /
IP byte stream, but I do have the TCP state information required
(source/dest addr, source/dest port). I am wondering how to have Bro process
these packets. I can think of the following ways by reading the various
docs, but am not sure whether there is anything else I have missed.

1. Cook up fake link-layer, TCP,IP headers, and feed Bro via a FIFO.

2. Use Brocolli to send really low-level events (events being "so and so
bytes seen on so and so conn"). These events have to be low-level because I
am trying to minimize any application-specific parsing before sending to
Bro.

3. Use the Bro source code directly, and somehow instantiate an analyzer
directly on the byte-stream. Any state needed (such as connection endpoints)
have to be cooked up.

After reading the source code and various docs, I am tending towards (3),
since it won't have the performance hit of a FIFO/broccoli, but am wondering
whether the state is seperable enough for me to do this.

Thanks in advance, and if anything is not clear, please let me know,

Jayanth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080423/1b350578/attachment.html 


More information about the Bro mailing list