[Bro] using Bro as traffic analyzer.
Matthias Vallentin
vallentin at icir.org
Sat Dec 3 23:44:45 PST 2011
> i find Bro is so widely used, which seems can fulfill the requirement.
Good to hear it works for you and welcome aboard!
> Can i disable other functions embedded in Bro, and add a plugin myself?
With the upcoming release of 2.0, Bro enables policy-neutral protocol
analysis by default, meaning it gives you a neutral picture of what's
going on in your network. For additional analyses and detectors, you
need to load the corresponding scripts in the policy directory;
local.bro is a good starting point. That said, you only pay for basic
protocol decoding by default.
> What is the point to archieve this, modify the core .cpp source file or add
> a .bro file?
This depends on the functionality you would like to add. Would you
mind elaborating a bit so that we can give you more helpful advice?
Changing the format of the log output or modifying analyzer behavior
generally works at the scripting layer. Bro features a Turing-complete
scripting language. You can write your own new functions and events.
If you would like to haul C/C++ functionality up to the scripting
layer, you might want to consider writing your own built-in function
(BiF). See src/bro.bif for examples. If you would like to add a new
protocol analyzer, then BinPAC is the right tool for you.
Matthias
More information about the Bro
mailing list