[Bro] Monitoring a directory and running bro on the PCAPs

Art Maddalena Art.Maddalena at teamaol.com
Fri Sep 30 15:01:27 PDT 2016


Thank you all for the advice. I am trying not to duplicate capturing
efforts as we use a different in house developed open sourced tool (Moloch)
for capture as well. Currently I am running bro concurrently with suri and
would love to reduce the overhead of performing both capture and analysis
with bro. Thanks again all! I will think about using our npbs for a
duplicate traffic stream and look into the other suggestions mentioned as
well.

Art

On Fri, Sep 30, 2016 at 17:50 Daniel Guerra <daniel.guerra69 at gmail.com>
wrote:

> Hi,
> I have made a packetbroker for this. Use tcpdump + netcat to the
> packetbroker for each interface. Then with one bro consume all packets from
> the broker.
> https://hub.docker.com/r/danielguerra/packetbroker/
> Its a concept test and was written in perl.
>
> Regards,
> Daniel
>
> Op 30 sep. 2016 11:32 PM schreef "Johanna Amann" <johanna at icir.org>:
>
> Hi,
>>
>> unless you have a way to replay the data to an interface that Bro can
>> listen on (either by duplicating the traffic, or by using something like
>> tcpreplay), I am not really aware of a good solution.
>>
>> Johanna
>>
>> On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote:
>> > Thank you. Is it possible to stream the pcap data to bro in lieu of
>> > monitoring a directory? Thanks!
>> >
>> > Art
>> >
>> > On Fri, Sep 30, 2016 at 17:16 Johanna Amann <johanna at icir.org> wrote:
>> >
>> > > Hi Art,
>> > >
>> > > that is the easiest way to do that, yes, just run Bro after the pcap
>> files
>> > > have been written. The only disadvantage of this approach is that you
>> > > loose session state between runs of Bro; when you run Bro on the
>> following
>> > > file, it will not parse any data from tcp sessions that started in the
>> > > previous file.
>> > >
>> > > Johanna
>> > >
>> > > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
>> > > > Does anyone have experience using Bro to run its analysis on PCAPs
>> being
>> > > > written to a directory in an automated fashion?
>> > > > Should a cron just be run at a lag using bro -r and script options?
>> > > > Thank you,
>> > > >
>> > > > -Art
>> > >
>> > > > _______________________________________________
>> > > > Bro mailing list
>> > > > bro at bro-ids.org
>> > > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> > >
>> > >
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/284226a1/attachment.html 


More information about the Bro mailing list