[Bro] Offline/Tracefile Traffic Classification with Bro

[Isara Anantavrasilp]

Hi,

I am completely new to Bro and have a few *naive* questions.
I have already tried to find the answer myself but to no avail.

I have to classify and isolate Internet traffics (or Internet flows)
which are stored in several trace files which are stored in compressed
pcap format.
For instance, given a trace file A, and a specific protocol, say, SSH,
what I have to do is generate another trace file which contains only
SSH packets from the trace A.
I do not need the SSH trace file automatically.
But I need at least the 5-tuple of the SSH flows that reside in the
trace A so that I can extract the SSH packets later.

As far as I understand from Bro wiki, Bro can recognize flows from the
tcpdump traces which is the same as pcap trace.
(Here is where I found it:
http://www.bro-ids.org/wiki/index.php/User_Manual:_Bulk_Traces_and_Off-line_Analysis)

Here are the questions:
1) Can I somehow obtain the flows or packets in the flows that match
some certain Bro rules and isolate them?
2) If so, how to do it? I have looked through online documents but
cannot get a concrete answer.
3) If not, can I at least identify which flows that match the rules?
4) Is there any rules-repository for Bro (like Snort rules)?

Thank you very much. :)

Cheers,
Isara Anantavrasilp