[Bro] Monitoring a directory and running bro on the PCAPs

Daniel Guerra daniel.guerra69 at gmail.com
Fri Sep 30 14:50:01 PDT 2016 

Hi,
I have made a packetbroker for this. Use tcpdump + netcat to the
packetbroker for each interface. Then with one bro consume all packets from
the broker.
https://hub.docker.com/r/danielguerra/packetbroker/
Its a concept test and was written in perl.

Regards,
Daniel

Op 30 sep. 2016 11:32 PM schreef "Johanna Amann" <johanna at icir.org>:

> Hi,
>
> unless you have a way to replay the data to an interface that Bro can
> listen on (either by duplicating the traffic, or by using something like
> tcpreplay), I am not really aware of a good solution.
>
> Johanna
>
> On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote:
> > Thank you. Is it possible to stream the pcap data to bro in lieu of
> > monitoring a directory? Thanks!
> >
> > Art
> >
> > On Fri, Sep 30, 2016 at 17:16 Johanna Amann <johanna at icir.org> wrote:
> >
> > > Hi Art,
> > >
> > > that is the easiest way to do that, yes, just run Bro after the pcap
> files
> > > have been written. The only disadvantage of this approach is that you
> > > loose session state between runs of Bro; when you run Bro on the
> following
> > > file, it will not parse any data from tcp sessions that started in the
> > > previous file.
> > >
> > > Johanna
> > >
> > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
> > > > Does anyone have experience using Bro to run its analysis on PCAPs
> being
> > > > written to a directory in an automated fashion?
> > > > Should a cron just be run at a lag using bro -r and script options?
> > > > Thank you,
> > > >
> > > > -Art
> > >
> > > > _______________________________________________
> > > > Bro mailing list
> > > > bro at bro-ids.org
> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > >
> > >
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/f9037a3c/attachment.html

More information about the Bro mailing list