[Bro] Stream Extraction from Scriptland

Seth Hall seth at icir.org
Tue Sep 23 05:42:32 PDT 2014


On Sep 22, 2014, at 10:27 PM, anthony kasza <anthony.kasza at gmail.com> wrote:

> I supposed my root question is this: is there a way to use Bro
> scripting to identify a connection of interest and have it written to
> disk (either with the exec framework or with set_record_packet)
> instead of including dumb BPFs with Bro's invocation?]

That's one of the features of the TimeMachine framework that I haven't finished yet. :)

You can use the set_record_packets BiF as you found too, but that requires that you are running Bro with the -w flag to write packets to disk.  Ultimately I think that something like the TimeMachine approach is the most scaleable because you could even do your bulk packet recording on a separate device and just have Bro communicate to it when you want to extract some packets (even going back in time).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list