[Bro] Use BRO as an offline L7-filter
vcarela
vcarela at ac.upc.edu
Mon Nov 10 07:19:36 PST 2008
Hi list,
I'm trying to use BRO as an offline L7-filter. I would like to add a
signature file to BRO (maybe to the DPD "module"??) and run on a trace
to detect the applications. I have already written the signature file
based on J. Erman thesis (last pages of
http://www.cse.iitd.ernet.in/~mahanti/papers/erman.msc.thesis.pdf ).
Now I'm a bit lost, where I have to copy the signatures?
here? -> /usr/local/bro/share/bro/sigs/jerman.sig
Which file I have to modify to add my signatures and remove the rest?
Because when I run :
" bin/bro -r trace.pcap dpd "
I get outputs like:
" 1217419201.228065 weird: spontaneous_FIN
1217419201.234297 weird: spontaneous_RST "
I only want to get the l7 application detected. I don't care for the
snort or other alerts with no relation with l7 applications.
Thank you in advance,
Valentín
More information about the Bro
mailing list