[Bro] P2P Traffic

Tue May 12 09:23:31 PDT 2015

This might be a silly question, but why does Bro have scripts for analyzers
supported by the core?

-AK
On May 12, 2015 7:32 AM, "Vlad Grigorescu" <vlad at grigorescu.org> wrote:

> There are two parts to each analyzer - the traffic is parsed off the wire
> in the "core," which is what you showed in your screenshot, and events are
> generated. Then, Bro scripts handle the events to generate logs, raise
> notices, etc. Bro scripts also determine which analyzer will be enabled for
> a certain TCP or UDP connection. Bro protocol analyzers exist in several
> different states - most protocol analyzers have both core and script layer
> code, and get enabled properly. It's possible for an analyzer to be
> enabled, but not have any event handlers to actually *do* anything with the
> resulting data (I don't think there are any examples of this right now).
> Finally, the core parsing code could be present, but the analyzer isn't
> getting enabled, and there are no scripts either. Some analyzers fall into
> this third category (including bittorrent).
>
> Everything in the screenshot should be getting compiled into Bro, and it's
> available for you to use, but some may require you to write custom scripts
> to enable the analyzer or generate logs. To see which analyzers are
> available in your complied version of Bro, you can run:
>
> > % bro --print-plugins
> > Bro::ARP - ARP Parsing (built-in)
> > Bro::AYIYA - AYIYA Analyzer (built-in)
> > Bro::BackDoor - Backdoor Analyzer deprecated (built-in)
> > Bro::BitTorrent - BitTorrent Analyzer (built-in)
> > Bro::ConnSize - Connection size analyzer (built-in)
> > Bro::DCE_RPC - DCE-RPC analyzer (built-in)
> > Bro::DHCP - DHCP analyzer (built-in)
> > Bro::DNP3 - DNP3 UDP/TCP analyzers (built-in)
> > ...
>
> For example, if you want to enable the BitTorrent analyzer, you could
> write a dynamic-protocol detection signature for it like this:
>
> > # site/bt_dpd.sig
> > signature dpd_bittorrent {
> > ip-proto == tcp
> > payload /\x13BitTorrent protocol.\x00.\x00\x00/
> > enable "bittorrent"
> > }
>
> Then, in your site/local.bro, you could load this with "@load-sigs
> ./dpd.sig". This should be enough to start seeing BitTorrent P2P
> connections have the service field of conn.log set to "bittorrent." If you
> want to take this a step further, and start writing out a bittorrent.log
> file, you could then start handling the BitTorrent events:
> https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
>
>   --Vlad
>
> On Tue, May 12, 2015 at 8:28 AM, Ron M. Jenkins <
> rjenkins at rmjconsulting.net> wrote:
>
>>  Good morning;
>>
>>
>>
>> I see lots of protocol analyzers in the source, but not after complied
>> and install.
>>
>>
>>
>> How do I get all analyzers installed?
>>
>>
>>
>>
>>
>> Thanks!
>>
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of
>> Doris Schioberg
>> Sent: Monday, May 11, 2015 11:31 AM
>> To: bro at bro.org
>> Subject: Re: [Bro] P2P Traffic
>>
>>
>>
>> Hi Ron,
>>
>>
>>
>> it that what you are looking for:
>>
>>
>> https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
>>
>>
>>
>> Doris
>>
>>
>>
>> On 5/11/15 9:15 AM, Ron M. Jenkins wrote:
>>
>> > Good morning;
>>
>> >
>>
>> > Can Bro detected P2P traffic, specially Bitorrent?
>>
>> >
>>
>> >
>>
>> > Thanks!
>>
>> >
>>
>> >
>>
>> >
>>
>> > Ron Jenkins (Owner / Senior Architect) RMJ Consulting, LLC. "Bringing
>>
>> > Companies and Solutions Together"
>>
>> > 11715 Bricksome Ave STE B-7
>>
>> > Baton Rouge, LA 70816
>>
>> > Toll: 855-448-5214
>>
>> > Direct. 225-448-5214 Ext #101
>>
>> > Fax. 225-448-5324
>>
>> > Cell. 225-931-1632
>>
>> > Email. rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net>
>>
>> > Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/
>> <http://www.rmjconsulting.net%3chttp:/www.rmjconsulting.net/>>
>>
>> > Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/
>> <http://www.logsiphon.com%3chttp:/www.logsiphon.com/>>
>>
>> > Linkedin.
>>
>> > www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkin
>> <http://www.linkedin.com/in/ronmjenkins/%3chttp:/www.linkedin.com/in/ronmjenkin>
>>
>> > s/>
>>
>> > Twitter:
>>
>> > www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting
>> <http://www.twitter.com/RMJConsulting%3chttp:/www.twitter.com/RMJConsulting>
>> >
>>
>> > Facebook:
>>
>> > www.facebook.com/rmjcsconsulting<http://www.facebook.com/rmjcsconsulti
>> <http://www.facebook.com/rmjcsconsulting%3chttp:/www.facebook.com/rmjcsconsulti>
>>
>> > ng> RMJ Consulting's Technology Corner.
>>
>> > https://www.rmjconsulting.net/main/paper.php
>>
>> >
>>
>> >
>>
>> >
>>
>> >
>>
>> > _______________________________________________
>>
>> > Bro mailing list
>>
>> > bro at bro-ids.org
>>
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> >
>>
>>
>>
>> --
>>
>> Doris Schioberg
>>
>> Bro Outreach, Training, and Education Coordinator International Computer
>> Science Institute (ICSI Berkeley)
>>
>> Phone: +1 (510) 289-8406 * doris at bro.org
>> _______________________________________________
>>
>> Bro mailing list
>>
>> bro at bro-ids.org
>>
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/2f8eff09/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 26807 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/2f8eff09/attachment-0001.bin 