[Bro] Automated Identification of Notice/Alarm Generating Packets

Rob Shanley rob.shanley at gmail.com
Tue Nov 10 05:30:14 PST 2009


Thank you for the prompt response! I will look into the connections/flows.

On Tue, Nov 10, 2009 at 12:20 AM, Robin Sommer <robin at icir.org> wrote:

>
> On Mon, Nov 09, 2009 at 14:03 -0500, you wrote:
>
> > I am new to bro and I'm trying to find out if there is an easy /
> automated
> > way to identify the packets that triggered a notice/alarm.
>
> No, not really. The main reason is that at the point when the
> decision is taken Bro doesn't really have the notion of packets
> anymore, it's working at a higher semantic level and it's in general
> not possible to go back and pinpoint individual packets which led to
> the decision.
>
> What often works well however is doing this at the connection/flow
> level. Most alarms are associated with a particular connection and
> once one has the 4-tuple of host & ports, one can extract the
> connection's packet from the input. With an offline analysis, that
> should be pretty straight-forward to do. For alarms not associated
> with a connection, there's usually still at least a certain IP
> involved and one could filter for that (depends on your application
> whether that makes sense or not I guess).
>
> There's also the "Time Machine"[1], which can buffer large amounts of
> packets and provides an interface to, e.g., extract individual
> packets from its buffers. The TM can also work offline from traces.
>
> Robin
>
> [1] http://www.net.t-labs.tu-berlin.de/research/tm/
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20091110/e34aa0d1/attachment.html 


More information about the Bro mailing list