[Bro] reassembling DNS traffic

Aaron Gee-Clough lists at g-clef.net
Tue Aug 5 09:57:18 PDT 2014 

If the TX and RX interfaces are bonded together, and bro pointed to that 
bonded interface rather than the individual ones, then it works fine. 
Bro never knows the difference, as the TX and RX are presented to it on 
the bonded interface.  (I'm doing this right now...works well.)

aaron

On 08/04/2014 04:45 PM, Coen Bakkers wrote:
>
> Is Bro capable of reassembling DNS traffic that is being captured
> over a TX and a RX tap interface if they are bridged?
>
> Regards,
>
> Coen
>
> -----Original Message----- From: bro-bounces at bro.org
> [mailto:bro-bounces at bro.org] On Behalf Of bro-request at bro.org Sent:
> Montag, 4. August 2014 21:00 To: bro at bro.org Subject: Bro Digest, Vol
> 100, Issue 2
>
> Send Bro mailing list submissions to bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro or, via email,
> send a message with subject or body 'help' to bro-request at bro.org
>
> You can reach the person managing the list at bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: Brocontrol revisited (Siwek, Jon) 2. Re: Brocontrol revisited
> (James Lay) 3. scripts output with a pager on broctl (Po-Ching Lin)
>
>
> ----------------------------------------------------------------------
>
>  Message: 1 Date: Mon, 4 Aug 2014 14:51:31 +0000 From: "Siwek, Jon"
> <jsiwek at illinois.edu> Subject: Re: [Bro] Brocontrol revisited To:
> James Lay <jlay at slave-tothe-box.net> Cc: Bro-IDS <bro at bro.org>
> Message-ID: <294643E9-5324-4C81-A28E-77C42B7F5F13 at illinois.edu>
> Content-Type: text/plain; charset="Windows-1252"
>
>
> On Aug 3, 2014, at 6:44 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> I like brocontrol's ease of use and auto-reports, but not at the
>> cost of an additional bro process that eats %15 CPU usage.  Any
>> explanation for this?  Thank you.
>
> Even in standalone mode, BroControl currently will have Bro listen
> for remote connections as some functionality of BroControl depends on
> that.  Bro will fork a process to do the listening which is the
> additional bro process.  The communication between parent, child, and
> peers use somewhat suboptimal I/O loops that rely on small timeouts
> which can be the reason for the extra CPU usage.  From what I
> understand, the reason for it being that way is historical (i.e.
> there were reasons for doing it that way on older systems).  I don?t
> know of any way to workaround it at this time, but improving/fixing
> the underlying problem is on the roadmap.
>
> - Jon
>
>
> ------------------------------
>
> Message: 2 Date: Mon, 04 Aug 2014 09:10:10 -0600 From: James Lay
> <jlay at slave-tothe-box.net> Subject: Re: [Bro] Brocontrol revisited
> To: Bro-IDS <bro at bro.org> Message-ID:
> <0aa11c3ae174d6975417a994a6a77b9a at localhost> Content-Type:
> text/plain; charset=UTF-8; format=flowed
>
> On 2014-08-04 08:51, Siwek, Jon wrote:
>> On Aug 3, 2014, at 6:44 AM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>>> I like brocontrol's ease of use and auto-reports, but not at the
>>> cost of an additional bro process that eats %15 CPU usage.  Any
>>> explanation for this?  Thank you.
>>
>> Even in standalone mode, BroControl currently will have Bro listen
>> for remote connections as some functionality of BroControl depends
>> on that.  Bro will fork a process to do the listening which is the
>> additional bro process.  The communication between parent, child,
>> and peers use somewhat suboptimal I/O loops that rely on small
>> timeouts which can be the reason for the extra CPU usage.  From
>> what I understand, the reason for it being that way is historical
>> (i.e. there were reasons for doing it that way on older systems).
>> I don?t know of any way to workaround it at this time, but
>> improving/fixing the underlying problem is on the roadmap.
>>
>> - Jon
>
> Thanks a bunch Jon...that's a great response that really helps my
> understanding.
>
> James
>
>
> ------------------------------
>
> Message: 3 Date: Mon, 04 Aug 2014 23:36:07 +0800 From: Po-Ching Lin
> <pachinko.tw at gmail.com> Subject: [Bro] scripts output with a pager on
> broctl To: bro at bro.org Message-ID: <53DFA867.2040900 at gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
>
> How about displaying scripts output on broctl with a pager? The
> output spans over several pages long, and it would be easier to check
> (and also search) the output with a pager. Just a suggestion :-)
>
> Po-Ching
>
>
>
> ------------------------------
>
> _______________________________________________ Bro mailing list
> Bro at bro.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 100, Issue 2
> ***********************************
>
> _______________________________________________ Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list