[Bro] A lower level interface
Shuai Hao
haoscs at gmail.com
Tue Oct 10 11:41:46 PDT 2017
The thing we are planing to do is similar to the [protocol reverse
engineering + traffic pattern recognition]; so we consider that we may need
the lower level interface to inspect the byte stream since the patterns
that we want to identify (e.g., a serious of connection activities) would
involve various protocols.
We do have the signature part to accomplish the payload matching. But it
may be not sufficient when we consider the traffic recognition (e.g.,
generating a signature that involve various protocols and network
components).
Thanks for your relies. It do helps much.
On Tue, Oct 10, 2017 at 2:22 PM, Johanna Amann <johanna at icir.org> wrote:
> > Basically I am looking for an interface by which we can examine and
> extract
> > the features of byte stream (or strings) from the traffic (TCP payload),
> > and then we will feed the stream to our analyzer (e.g., via BinPac).
> > Currently I am looking at the tcp_contents; I think it might be
> sufficient
> > so I don't have to use tcp_packet or new_packet.
>
> I still don't quite get what you are planning to do here. Do you plan to
> do some kind of signature to figure out that something is a specific
> protocol (so match certain byte sequences)? Or do you really want to do
> something more complex that needs scripting?
>
> tcp_contents is probably less expensive than the other named choices, but
> it probably still is pretty heavyweight.
>
> Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171010/df71cf88/attachment.html
More information about the Bro
mailing list