[Bro] Stream Extraction from Scriptland

anthony kasza anthony.kasza at gmail.com
Mon Sep 22 19:27:56 PDT 2014 

Hello List,

I'd first like to point out something I never knew existed.
bro/aux/bro-aux/devel-tools/extract-conn-by-uid will build a BPF from
a UID in a conn.log file and extract that stream from a pcap. Nifty.
That got me thinking if it would be possible to call
extract-conn-by-uid from scriptland with the exec framework. I wrote a
few PoC scripts but things became rather complicated when I couldn't
figure out when the conn.log file is available on disk from
scriptland. I'm curious if anyone has done something similar to this
before.

I then started playing around with the set_record_packets bif, but I
could not seem to get that function to do anything with packets that
weren't TCP data packets. The documentation around this function says
nothing specifically about TCP and only references 'connections',
which in Bro parlance includes TCP, UDP, and ICMP. I've included a
sample trace file, bro script, and some notes that resemble a bug
report around the set_record_packets functionality.

I supposed my root question is this: is there a way to use Bro
scripting to identify a connection of interest and have it written to
disk (either with the exec framework or with set_record_packet)
instead of including dumb BPFs with Bro's invocation?
Thanks all,

-AK
-------------- next part --------------
When running:
	bro connection_extractor.bro -Cr sample.pcap -w interesting.pcap
	Debian version 7.5
	Bro version 2.3-178

Expected results:
	interesting.pcap contains only packets relating to DNS connections

Actual results:
	interesting.pcap contains ICMP packets, TCP signaling (SYN, SYNACK, FINACK) packets, and DNS packets

Sample.pcap was generated by running the following commands:
	ping -c 3 example.com
	curl ww.google.com


Does set_record_packets only work with TCP connections?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: connection_extractor.bro
Type: application/octet-stream
Size: 806 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140922/110fcfd4/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sample.pcap
Type: application/cap
Size: 22739 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140922/110fcfd4/attachment.bin

More information about the Bro mailing list