[Bro] Stream Extraction from Scriptland
Seth Hall
seth at icir.org
Tue Sep 23 05:42:32 PDT 2014
On Sep 22, 2014, at 10:27 PM, anthony kasza <anthony.kasza at gmail.com> wrote:
> I supposed my root question is this: is there a way to use Bro
> scripting to identify a connection of interest and have it written to
> disk (either with the exec framework or with set_record_packet)
> instead of including dumb BPFs with Bro's invocation?]
That's one of the features of the TimeMachine framework that I haven't finished yet. :)
You can use the set_record_packets BiF as you found too, but that requires that you are running Bro with the -w flag to write packets to disk. Ultimately I think that something like the TimeMachine approach is the most scaleable because you could even do your bulk packet recording on a separate device and just have Bro communicate to it when you want to extract some packets (even going back in time).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list