[Bro] TORRENT Detection -BRO

Vlad Grigorescu vladg at illinois.edu
Wed May 31 08:07:55 PDT 2017


I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
channel).

There might be something for DHT, but that would require parsing
a completely different protocol.

  --Vlad

Johanna Amann <johanna at icir.org> writes:

> Hi,
>
>> Will I be able to detect torrent download using bro, i could see some
>> torrent analyzers,is there any load statement should i include in local.bro
>> or how  to detect?
>
> The Bittorrent analyzer in Bro has not been touched in years and I assume
> that it is not functional (it certainly has not been tested by anyone in a
> long time).
>
> If you are interested in trying to enable it, you will have to write all
> scripts yourself. As you probably are aware for most protocol analyzers we
> have scripts in base/ that create the logfiles that are written to disk.
> These scripts were never created for the Bittorrent analyzer - you would
> have to write them from scratch (and as I mentioned I have doubts if it
> still works).
>
> So - short version - there is no quick and easy way to enable it
> currently.
>
> Johanna
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170531/741b8dd7/attachment.bin 


More information about the Bro mailing list