[Bro] Bro Traffic analysis flow shunting questions
Drew Dixon
dwdixon at umich.edu
Tue Feb 20 09:46:39 PST 2018
Hello,
I have some questions regarding implementing shunting of traffic that has
no analysis value and what the recommended approach is for doing so with a
large bro cluster that will be analyzing very high volumes of traffic.
I am aware of the Bro net-control framework and am wondering if this is
where I should start and what should be leveraged to begin implement
shunting with the latest version of bro?
- In addition to "ordinary" elephant flows, I'm also interested in shunting
out large video streaming services (netflix, hulu, prime video, hbogo,
vimeo, etc.) which do not have analysis value, first I'm wondering would
any of this get picked up in the bulk transfer/flow detection already built
into the existing conn-bulk.bro script detection?
- Is the use of dumbno <https://github.com/ncsa/dumbno> with
bro-react/conn-bulk.bro for detection and shunting of bulk
transfers/elephant flows relevant still considering bro-netcontrol exists?
Are these viewed as plugins/backends for bro-netcontrol? I believe
bro-netcontrol also has some shunting (built in?) is any of
dumbno/conn-bulk.bro built into bro-netcontrol already, or is further
configuration required to setup dumbno/conn-bulk.bro with net-control?
- If the answer to first bullet point the above is no, is anyone already
shunting this type of video streaming traffic and is there a bro script out
there anyone could share so we aren't reinventing the wheel? Assuming
nothing exists, would it be plausible to leverage the ssl.log domain name
metadata to do the detection piece for this, then pulling out the IP/Port
info to insert shunting ACL's via the packet broker API? Would extending
dumbno/bro-react/conn-bulk.bro to support this (assuming it doesn't catch
this traffic already) be something desirable? Also, would this be a good
approach for detecting large video streaming traffic flows, or would there
be a better approach?
Wondering if someone is already doing this and would be willing to share or
link to something on GitHub perhaps?
Many thanks,
-Drew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180220/ac7a9fb1/attachment.html
More information about the Bro
mailing list