[Bro] P2P Traffic
Vlad Grigorescu
vlad at grigorescu.org
Tue May 12 07:28:38 PDT 2015
There are two parts to each analyzer - the traffic is parsed off the wire
in the "core," which is what you showed in your screenshot, and events are
generated. Then, Bro scripts handle the events to generate logs, raise
notices, etc. Bro scripts also determine which analyzer will be enabled for
a certain TCP or UDP connection. Bro protocol analyzers exist in several
different states - most protocol analyzers have both core and script layer
code, and get enabled properly. It's possible for an analyzer to be
enabled, but not have any event handlers to actually *do* anything with the
resulting data (I don't think there are any examples of this right now).
Finally, the core parsing code could be present, but the analyzer isn't
getting enabled, and there are no scripts either. Some analyzers fall into
this third category (including bittorrent).
Everything in the screenshot should be getting compiled into Bro, and it's
available for you to use, but some may require you to write custom scripts
to enable the analyzer or generate logs. To see which analyzers are
available in your complied version of Bro, you can run:
> % bro --print-plugins
> Bro::ARP - ARP Parsing (built-in)
> Bro::AYIYA - AYIYA Analyzer (built-in)
> Bro::BackDoor - Backdoor Analyzer deprecated (built-in)
> Bro::BitTorrent - BitTorrent Analyzer (built-in)
> Bro::ConnSize - Connection size analyzer (built-in)
> Bro::DCE_RPC - DCE-RPC analyzer (built-in)
> Bro::DHCP - DHCP analyzer (built-in)
> Bro::DNP3 - DNP3 UDP/TCP analyzers (built-in)
> ...
For example, if you want to enable the BitTorrent analyzer, you could write
a dynamic-protocol detection signature for it like this:
> # site/bt_dpd.sig
> signature dpd_bittorrent {
> ip-proto == tcp
> payload /\x13BitTorrent protocol.\x00.\x00\x00/
> enable "bittorrent"
> }
Then, in your site/local.bro, you could load this with "@load-sigs
./dpd.sig". This should be enough to start seeing BitTorrent P2P
connections have the service field of conn.log set to "bittorrent." If you
want to take this a step further, and start writing out a bittorrent.log
file, you could then start handling the BitTorrent events:
https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
--Vlad
On Tue, May 12, 2015 at 8:28 AM, Ron M. Jenkins <rjenkins at rmjconsulting.net>
wrote:
> Good morning;
>
>
>
> I see lots of protocol analyzers in the source, but not after complied and
> install.
>
>
>
> How do I get all analyzers installed?
>
>
>
>
>
> Thanks!
>
>
>
>
>
>
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Doris
> Schioberg
> Sent: Monday, May 11, 2015 11:31 AM
> To: bro at bro.org
> Subject: Re: [Bro] P2P Traffic
>
>
>
> Hi Ron,
>
>
>
> it that what you are looking for:
>
>
> https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
>
>
>
> Doris
>
>
>
> On 5/11/15 9:15 AM, Ron M. Jenkins wrote:
>
> > Good morning;
>
> >
>
> > Can Bro detected P2P traffic, specially Bitorrent?
>
> >
>
> >
>
> > Thanks!
>
> >
>
> >
>
> >
>
> > Ron Jenkins (Owner / Senior Architect) RMJ Consulting, LLC. "Bringing
>
> > Companies and Solutions Together"
>
> > 11715 Bricksome Ave STE B-7
>
> > Baton Rouge, LA 70816
>
> > Toll: 855-448-5214
>
> > Direct. 225-448-5214 Ext #101
>
> > Fax. 225-448-5324
>
> > Cell. 225-931-1632
>
> > Email. rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net>
>
> > Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/
> <http://www.rmjconsulting.net%3chttp:/www.rmjconsulting.net/>>
>
> > Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/
> <http://www.logsiphon.com%3chttp:/www.logsiphon.com/>>
>
> > Linkedin.
>
> > www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkin
> <http://www.linkedin.com/in/ronmjenkins/%3chttp:/www.linkedin.com/in/ronmjenkin>
>
> > s/>
>
> > Twitter:
>
> > www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting
> <http://www.twitter.com/RMJConsulting%3chttp:/www.twitter.com/RMJConsulting>
> >
>
> > Facebook:
>
> > www.facebook.com/rmjcsconsulting<http://www.facebook.com/rmjcsconsulti
> <http://www.facebook.com/rmjcsconsulting%3chttp:/www.facebook.com/rmjcsconsulti>
>
> > ng> RMJ Consulting's Technology Corner.
>
> > https://www.rmjconsulting.net/main/paper.php
>
> >
>
> >
>
> >
>
> >
>
> > _______________________________________________
>
> > Bro mailing list
>
> > bro at bro-ids.org
>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> >
>
>
>
> --
>
> Doris Schioberg
>
> Bro Outreach, Training, and Education Coordinator International Computer
> Science Institute (ICSI Berkeley)
>
> Phone: +1 (510) 289-8406 * doris at bro.org
> _______________________________________________
>
> Bro mailing list
>
> bro at bro-ids.org
>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/d6fb9d7f/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 26807 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/d6fb9d7f/attachment-0001.bin
More information about the Bro
mailing list