[Bro] "Faking" connections and http records
Jim Mellander
jmellander at lbl.gov
Fri Mar 22 14:18:29 PDT 2013
Well, its unfortunate that we can't feed in data from other sources
and subject it to the same policies that network traffic is subject
to.
In the meantime, I may just write some code that fakes the data into
pcap files that can be read by bro directly.
On Fri, Mar 22, 2013 at 1:54 PM, Seth Hall <seth at icir.org> wrote:
>
> On Mar 22, 2013, at 4:04 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
>
>> Does anyone have suggestions on how to proceed with this?
>
>
> It wouldn't work very well. :)
>
> Nearly all of the detections rely on the various http_ events. I would go down a slightly different route with logs than I would with raw traffic. This is something that I've been talking about for quite a while and I suspect something related to happen in the next year.
>
> I think it's really cool that you're importing logs into Bro!
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
More information about the Bro
mailing list