[Bro] Detecting Encryption
nhtvl
bmixonb1 at cs.unm.edu
Fri Aug 21 12:52:11 PDT 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
That is amazing! Would I need to make additions in a script of mine in
order to differentiate between encryption and compression?
On 08/21/2015 01:50 PM, Robin Sommer wrote:
>
>
> On Fri, Aug 21, 2015 at 11:36 -0600, nhtvl wrote:
>
>> I had a suggestion from my advisor that I should compress the
>> data being sent over the wire to see if it is compressible or not
>> and use that in determining whether a stream is using encryption
>> or not.
>
> Bro has functions to measure entropy, see
> https://www.bro.org/sphinx-git/scripts/base/bif/bro.bif.bro.html#id-fi
nd_entropy.
>
> Robin
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJV14FrAAoJEO09Oz0uXqnKo8EH/04UIxvj/hiyKJjbdxj1VJX1
crc8fhQ5WT9jSdIUzxRNRsN4JvwXPLPqAUBJP+kW3dCl58HX/2vk6EP1HTOB2LYS
2jNU3FVj8vgol/tBUKOdAsCYJrlh2c8kJlEWYVDU8F3wRWlaPAMPhVOY3FEuaWIZ
kYo6Gvdugywdj29hEOumRPNFDgPQqcDjmxG0lAoDKMO7mkO99F0aGmojgkXzjWJh
H12fNkImywS7/ZHIDB8zLD34tM1gWk8CB0M1fXQQIMcxOdsfahCt1hMMlBFr5x6g
4qsNtxlTTtO139a+oJMD7H+0Q7YgRv1q3LmEXU+iRiPjZb35PwfmZb5MYnbtsOo=
=u9Ii
-----END PGP SIGNATURE-----
More information about the Bro
mailing list