[Bro] Does Bro generate only one event for one network connection?
Daniel Thayer
dnthayer at illinois.edu
Wed Aug 5 09:36:58 PDT 2015
It is possible for Bro to generate more than one event.
For example, it is possible for one UDP packet to generate
both "udp_reply" and "udp_contents" events.
Similarly, an HTTP request will cause Bro to generate an
"http_request" event and a "tcp_packet" event.
All of the Bro events are described in the documentation:
https://www.bro.org/sphinx/script-reference/proto-analyzers.html
https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html
On 08/05/2015 08:12 AM, Nuyun Zhang wrote:
> Dear Bro team,
>
> I have a question about Bro. Does Bro generate only one event for
> one packet/connection? Or Bro will generate multiple events for one
> packet/connection?
> I have read the paper "Bro: A system for Decting Network Intruder
> in Real-time." The example showed Bro did generate a "Finger" event when
> the connection meet more conditions instead of a TCP_connection event.
> Is this always true?
> Thanks!
> --
> Nuyun Zhang (Nellie) Ph.D.
> Research Associate
> CCIT of Clemson University
> http://people.clemson.edu/~nuyun/
More information about the Bro
mailing list