[Bro] reassembling DNS traffic
Coen Bakkers
coen_bakkers at symantec.com
Mon Aug 4 13:45:46 PDT 2014
Is Bro capable of reassembling DNS traffic that is being captured over a TX and a RX tap interface if they are bridged?
Regards,
Coen
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of bro-request at bro.org
Sent: Montag, 4. August 2014 21:00
To: bro at bro.org
Subject: Bro Digest, Vol 100, Issue 2
Send Bro mailing list submissions to
bro at bro.org
To subscribe or unsubscribe via the World Wide Web, visit
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
or, via email, send a message with subject or body 'help' to
bro-request at bro.org
You can reach the person managing the list at
bro-owner at bro.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Bro digest..."
Today's Topics:
1. Re: Brocontrol revisited (Siwek, Jon)
2. Re: Brocontrol revisited (James Lay)
3. scripts output with a pager on broctl (Po-Ching Lin)
----------------------------------------------------------------------
Message: 1
Date: Mon, 4 Aug 2014 14:51:31 +0000
From: "Siwek, Jon" <jsiwek at illinois.edu>
Subject: Re: [Bro] Brocontrol revisited
To: James Lay <jlay at slave-tothe-box.net>
Cc: Bro-IDS <bro at bro.org>
Message-ID: <294643E9-5324-4C81-A28E-77C42B7F5F13 at illinois.edu>
Content-Type: text/plain; charset="Windows-1252"
On Aug 3, 2014, at 6:44 AM, James Lay <jlay at slave-tothe-box.net> wrote:
> I like brocontrol's ease of use and auto-reports, but not at the cost of an additional bro process that eats %15 CPU usage. Any explanation for this? Thank you.
Even in standalone mode, BroControl currently will have Bro listen for remote connections as some functionality of BroControl depends on that. Bro will fork a process to do the listening which is the additional bro process. The communication between parent, child, and peers use somewhat suboptimal I/O loops that rely on small timeouts which can be the reason for the extra CPU usage. From what I understand, the reason for it being that way is historical (i.e. there were reasons for doing it that way on older systems). I don?t know of any way to workaround it at this time, but improving/fixing the underlying problem is on the roadmap.
- Jon
------------------------------
Message: 2
Date: Mon, 04 Aug 2014 09:10:10 -0600
From: James Lay <jlay at slave-tothe-box.net>
Subject: Re: [Bro] Brocontrol revisited
To: Bro-IDS <bro at bro.org>
Message-ID: <0aa11c3ae174d6975417a994a6a77b9a at localhost>
Content-Type: text/plain; charset=UTF-8; format=flowed
On 2014-08-04 08:51, Siwek, Jon wrote:
> On Aug 3, 2014, at 6:44 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> I like brocontrol's ease of use and auto-reports, but not at the cost
>> of an additional bro process that eats %15 CPU usage. Any
>> explanation for this? Thank you.
>
> Even in standalone mode, BroControl currently will have Bro listen for
> remote connections as some functionality of BroControl depends on
> that. Bro will fork a process to do the listening which is the
> additional bro process. The communication between parent, child, and
> peers use somewhat suboptimal I/O loops that rely on small timeouts
> which can be the reason for the extra CPU usage. From what I
> understand, the reason for it being that way is historical (i.e.
> there
> were reasons for doing it that way on older systems). I don?t know of
> any way to workaround it at this time, but improving/fixing the
> underlying problem is on the roadmap.
>
> - Jon
Thanks a bunch Jon...that's a great response that really helps my understanding.
James
------------------------------
Message: 3
Date: Mon, 04 Aug 2014 23:36:07 +0800
From: Po-Ching Lin <pachinko.tw at gmail.com>
Subject: [Bro] scripts output with a pager on broctl
To: bro at bro.org
Message-ID: <53DFA867.2040900 at gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
How about displaying scripts output on broctl with a pager? The output spans over several pages long, and it would be easier to check (and also
search) the output with a pager. Just a suggestion :-)
Po-Ching
------------------------------
_______________________________________________
Bro mailing list
Bro at bro.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
End of Bro Digest, Vol 100, Issue 2
***********************************
More information about the Bro
mailing list