[Bro] A lower level interface
Johanna Amann
johanna at icir.org
Tue Oct 10 10:01:44 PDT 2017
Hi,
> I've seen many discussions referring to the Bro as an alternative of
> libnids.
Out of curiosity - where did you see discussions like that?
I do not really know much about libnids, but from the readme it seems that
libnids is a library that mostly implements TCP reassembly. While this is
a part of what Bro does, it only is a small part of it; obviously the
main focus of Bro is on a different layer.
> I wonder that can we use the similar lower-level interface similar
> to libnids in Bro (e.g., for the tcp assembly)?
I am not quite sure what you are looking for here, could you perhaps
expand a bit on that?
The lowest level access that you can get is probably by writing a custom
(c++) analyzer that gets passed either the reassembled TCP payloads. (Or
just the raw packets in case of UDP).
> We would like to explore the string features of packets, while keeping
> to leverage Bro's high-level events.
You can use something like the new_packet events in Bro to get access to
individual packet information. However, there is a performance penalty
associated with this (script-level events are fairly expensive and usually
there are a few per connection, not a few per packet).
For anything carrying a significant amount of traffic that approach
probably is not viable.
It depends a bit on what you want to do - preprocessing in C++ and then
bubbling up more high-level events should be a more realisitic choice.
I hope this helps,
Johanna
More information about the Bro
mailing list