[Bro] Reassembling packets during inspection
Peter Erickson
redlamb19 at gmail.com
Sat Aug 7 18:33:33 PDT 2010
>> Is it possible to reassemble TCP and UDP streams while Bro inspects a
>
> What do you mean by reassembling a UDP stream? These don't have a particular
> reassembly ordering associated with them. If you just want to extract the
> contents of a given UDP flow, you can do so using tcpdump directly.
>
Thanks for the quick response. I realize that UDP doesn't have
sequence numbers, etc, but I was hoping that Bro would be able to
assemble the flow into something that could be externally processed.
As a crude example (I realize that Bro has DNS analyzers), but I
wanted a file that contained the raw dns request and raw dns reply. I
work with malware a lot and I have scripts that look for custom
protocols.
--
Peter Erickson
redlamb19 _at_ gmail _dot_ com
More information about the Bro
mailing list