[Bro] P2P Traffic

Vlad Grigorescu vlad at grigorescu.org
Tue May 12 14:32:45 PDT 2015 

>From the spec: http://www.bittorrent.org/beps/bep_0003.html

> The peer wire protocol consists of a handshake followed by a never-ending
stream of length-prefixed messages. The handshake starts with character
ninteen (decimal) followed by the string 'BitTorrent protocol'. ... After
the fixed headers come eight reserved bytes, which are all zero in all
current implementations.

There are some extensions that are defined here:
http://www.bittorrent.org/beps/bep_0000.html. I couldn't find any
extensions that used the 2nd, 4th or 5th extension bytes, so I hard-coded
those to 0.

On Tue, May 12, 2015 at 2:21 PM, Ron M. Jenkins <rjenkins at rmjconsulting.net>
wrote:

>  Where did you determine the payload part?
>
>
>
> payload /\x13BitTorrent protocol.\x00.\x00\x00/
>
>
>
>
>
>
>
> Thanks!
>
>
>
>
>
>
>
>
>
> *From:* grigorescu at gmail.com [mailto:grigorescu at gmail.com] *On Behalf Of *Vlad
> Grigorescu
> *Sent:* Tuesday, May 12, 2015 9:29 AM
> *To:* Ron M. Jenkins
> *Cc:* bro at bro.org List (bro at bro.org)
> *Subject:* Re: [Bro] P2P Traffic
>
>
>
> There are two parts to each analyzer - the traffic is parsed off the wire
> in the "core," which is what you showed in your screenshot, and events are
> generated. Then, Bro scripts handle the events to generate logs, raise
> notices, etc. Bro scripts also determine which analyzer will be enabled for
> a certain TCP or UDP connection. Bro protocol analyzers exist in several
> different states - most protocol analyzers have both core and script layer
> code, and get enabled properly. It's possible for an analyzer to be
> enabled, but not have any event handlers to actually *do* anything with the
> resulting data (I don't think there are any examples of this right now).
> Finally, the core parsing code could be present, but the analyzer isn't
> getting enabled, and there are no scripts either. Some analyzers fall into
> this third category (including bittorrent).
>
>
>
> Everything in the screenshot should be getting compiled into Bro, and it's
> available for you to use, but some may require you to write custom scripts
> to enable the analyzer or generate logs. To see which analyzers are
> available in your complied version of Bro, you can run:
>
>
>
> > % bro --print-plugins
>
> > Bro::ARP - ARP Parsing (built-in)
>
> > Bro::AYIYA - AYIYA Analyzer (built-in)
>
> > Bro::BackDoor - Backdoor Analyzer deprecated (built-in)
>
> > Bro::BitTorrent - BitTorrent Analyzer (built-in)
>
> > Bro::ConnSize - Connection size analyzer (built-in)
>
> > Bro::DCE_RPC - DCE-RPC analyzer (built-in)
>
> > Bro::DHCP - DHCP analyzer (built-in)
>
> > Bro::DNP3 - DNP3 UDP/TCP analyzers (built-in)
>
> > ...
>
>
>
> For example, if you want to enable the BitTorrent analyzer, you could
> write a dynamic-protocol detection signature for it like this:
>
>
>
> > # site/bt_dpd.sig
>
> > signature dpd_bittorrent {
>
> >          ip-proto == tcp
>
> >          payload /\x13BitTorrent protocol.\x00.\x00\x00/
>
> >          enable "bittorrent"
>
> > }
>
>
>
> Then, in your site/local.bro, you could load this with "@load-sigs
> ./dpd.sig". This should be enough to start seeing BitTorrent P2P
> connections have the service field of conn.log set to "bittorrent." If you
> want to take this a step further, and start writing out a bittorrent.log
> file, you could then start handling the BitTorrent events:
> https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
>
>
>
>   --Vlad
>
>
>
> On Tue, May 12, 2015 at 8:28 AM, Ron M. Jenkins <
> rjenkins at rmjconsulting.net> wrote:
>
>  Good morning;
>
>
>
> I see lots of protocol analyzers in the source, but not after complied and
> install.
>
>
>
> How do I get all analyzers installed?
>
>
>
>
>
> Thanks!
>
>
>
>
>
> [image: cid:image001.png at 01D08C9A.1F5523B0]
>
>
>
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Doris
> Schioberg
> Sent: Monday, May 11, 2015 11:31 AM
> To: bro at bro.org
> Subject: Re: [Bro] P2P Traffic
>
>
>
> Hi Ron,
>
>
>
> it that what you are looking for:
>
>
> https://www.bro.org/sphinx-git/script-reference/proto-analyzers.html#bro-bittorrent
>
>
>
> Doris
>
>
>
> On 5/11/15 9:15 AM, Ron M. Jenkins wrote:
>
> > Good morning;
>
> >
>
> > Can Bro detected P2P traffic, specially Bitorrent?
>
> >
>
> >
>
> > Thanks!
>
> >
>
> >
>
> >
>
> > Ron Jenkins (Owner / Senior Architect) RMJ Consulting, LLC. "Bringing
>
> > Companies and Solutions Together"
>
> > 11715 Bricksome Ave STE B-7
>
> > Baton Rouge, LA 70816
>
> > Toll: 855-448-5214
>
> > Direct. 225-448-5214 Ext #101
>
> > Fax. 225-448-5324
>
> > Cell. 225-931-1632
>
> > Email. rjenkins at rmjconsulting.net<mailto:rjenkins at rmjconsulting.net>
>
> > Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/
> <http://www.rmjconsulting.net%3chttp:/www.rmjconsulting.net/>>
>
> > Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/
> <http://www.logsiphon.com%3chttp:/www.logsiphon.com/>>
>
> > Linkedin.
>
> > www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkin
> <http://www.linkedin.com/in/ronmjenkins/%3chttp:/www.linkedin.com/in/ronmjenkin>
>
> > s/>
>
> > Twitter:
>
> > www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting
> <http://www.twitter.com/RMJConsulting%3chttp:/www.twitter.com/RMJConsulting>
> >
>
> > Facebook:
>
> > www.facebook.com/rmjcsconsulting<http://www.facebook.com/rmjcsconsulti
> <http://www.facebook.com/rmjcsconsulting%3chttp:/www.facebook.com/rmjcsconsulti>
>
> > ng> RMJ Consulting's Technology Corner.
>
> > https://www.rmjconsulting.net/main/paper.php
>
> >
>
> >
>
> >
>
> >
>
> > _______________________________________________
>
> > Bro mailing list
>
> > bro at bro-ids.org
>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> >
>
>
>
> --
>
> Doris Schioberg
>
> Bro Outreach, Training, and Education Coordinator International Computer
> Science Institute (ICSI Berkeley)
>
> Phone: +1 (510) 289-8406 * doris at bro.org
> _______________________________________________
>
> Bro mailing list
>
> bro at bro-ids.org
>
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150512/1cfe4af9/attachment.html

More information about the Bro mailing list