[Bro] Packet Level Analysis

Hosom, Stephen M hosom at battelle.org
Wed Aug 6 07:49:33 PDT 2014


The sorts of places where I see this being useful are well served by the Signatures framework.

The traceroute detector in policy/misc is a pretty good example of this ‘sort’ of thing.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Gehana Booth
Sent: Wednesday, August 06, 2014 9:13 AM
To: bro at bro.org
Subject: [Bro] Packet Level Analysis

Hello,

This is probably a very silly question, but I just wanted to get some opinions. Is it possible/feasible to do packet level analysis with bro (e.g., looking at the entire packet as a string to find similar patterns between packets)? Or is bro too high-level to make this an option, as it seems that the relevant events (new_packet, packet_contents, etc.) are exceedingly slow.

If this is possible, however, would I be able to do this in bro scripts or would I need to do something like write the module in C/C++ to hook into bro?

Cheers,
Gehana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140806/37b1707f/attachment.html 


More information about the Bro mailing list