[Bro] A lower level interface

[Johanna Amann]

Hi,

> I've seen many discussions referring to the Bro as an alternative of
> libnids.

Out of curiosity - where did you see discussions like that?

I do not really know much about libnids, but from the readme it seems that
libnids is a library that mostly implements TCP reassembly. While this is
a part of what Bro does, it only is a small part of it; obviously the
main focus of Bro is on a different layer.

> I wonder that can we use the similar lower-level interface similar
> to libnids in Bro (e.g., for the tcp assembly)?

I am not quite sure what you are looking for here, could you perhaps
expand a bit on that?

The lowest level access that you can get is probably by writing a custom
(c++) analyzer that gets passed either the reassembled TCP payloads. (Or
just the raw packets in case of UDP).

> We would like to explore the string features of packets, while keeping
> to leverage Bro's high-level events.

You can use something like the new_packet events in Bro to get access to
individual packet information. However, there is a performance penalty
associated with this (script-level events are fairly expensive and usually
there are a few per connection, not a few per packet).

For anything carrying a significant amount of traffic that approach
probably is not viable.

It depends a bit on what you want to do - preprocessing in C++ and then
bubbling up more high-level events should be a more realisitic choice.

I hope this helps,
 Johanna