[Bro] Detecting Encryption
Robin Sommer
robin at icir.org
Fri Aug 21 12:50:15 PDT 2015
On Fri, Aug 21, 2015 at 11:36 -0600, nhtvl wrote:
> I had a suggestion from my advisor that I should compress the data
> being sent over the wire to see if it is compressible or not and use
> that in determining whether a stream is using encryption or not.
Bro has functions to measure entropy, see
https://www.bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-find_entropy.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list