[Bro] A lower level interface
Johanna Amann
johanna at icir.org
Tue Oct 10 11:22:22 PDT 2017
> Basically I am looking for an interface by which we can examine and extract
> the features of byte stream (or strings) from the traffic (TCP payload),
> and then we will feed the stream to our analyzer (e.g., via BinPac).
> Currently I am looking at the tcp_contents; I think it might be sufficient
> so I don't have to use tcp_packet or new_packet.
I still don't quite get what you are planning to do here. Do you plan to
do some kind of signature to figure out that something is a specific
protocol (so match certain byte sequences)? Or do you really want to do
something more complex that needs scripting?
tcp_contents is probably less expensive than the other named choices, but
it probably still is pretty heavyweight.
Johanna
More information about the Bro
mailing list