[Bro] Monitoring a directory and running bro on the PCAPs
Azoff, Justin S
jazoff at illinois.edu
Fri Sep 30 20:15:22 PDT 2016
> On Sep 30, 2016, at 5:25 PM, Johanna Amann <johanna at icir.org> wrote:
>
> Hi,
>
> unless you have a way to replay the data to an interface that Bro can
> listen on (either by duplicating the traffic, or by using something like
> tcpreplay), I am not really aware of a good solution.
>
> Johanna
Hmm, it probably wouldn't be that hard to write a 'pcapdir' pkt source for bro. Basically it would just need to:
while(!terminating) {
pcap_files = all .pcap files in SOURCE_DIR
sort pcap_files by oldest # hopefully there is only one file
for each pcap file {
open and process packets into bro
delete pcap #or move to a DONE_DIR/.
}
if no files in pcap_files
sleep(10ms)
}
You'd just need the other tool to hardlink or move the pcaps into the SOURCE_DIR as they are done being written to.
This would also fix the tcp session issues.
--
- Justin Azoff
More information about the Bro
mailing list