[Bro] Stream Extraction from Scriptland

[anthony kasza]

I agree with your point on scalability and look forward to the TimeMachine
framework.

It does seem that set_record_packets only works on TCP data packets,
though. I'm not sure if thats an issue with the function or with the
documentation about the function.

The script I included sets all new connection's to false with
set_record_packets, then sets connections to true from the
connection_state_remove event if they contain DNS. The notes.txt file shows
the bro command I ran (including the -w option) against the sample.pcap
file, included previously, to produce a new trace file with unexpected
contents.

Is this a bug in the function or am I reading the doc incorrectly? Thanks
all (Seth).

-AK
On Sep 23, 2014 5:42 AM, "Seth Hall" <seth at icir.org> wrote:

>
> On Sep 22, 2014, at 10:27 PM, anthony kasza <anthony.kasza at gmail.com>
> wrote:
>
> > I supposed my root question is this: is there a way to use Bro
> > scripting to identify a connection of interest and have it written to
> > disk (either with the exec framework or with set_record_packet)
> > instead of including dumb BPFs with Bro's invocation?]
>
> That's one of the features of the TimeMachine framework that I haven't
> finished yet. :)
>
> You can use the set_record_packets BiF as you found too, but that requires
> that you are running Bro with the -w flag to write packets to disk.
> Ultimately I think that something like the TimeMachine approach is the most
> scaleable because you could even do your bulk packet recording on a
> separate device and just have Bro communicate to it when you want to
> extract some packets (even going back in time).
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140923/2473a67e/attachment.html