Hi,
I want to find a tool to split the captured trace (using tcpdump tool) into two parts: the normal sub-trace and the abnormal one which compising of network attacks detected, can the Bro do ? If not, any suggestion is perferred.
Thanks a lot!
Yours,
He
I want to find a tool to split the captured trace (using tcpdump tool) into two parts: the normal sub-trace and the abnormal one which compising of network attacks detected, can the Bro do ? If not, any suggestion is perferred.
I can answer part of the question. Suppose you want to split a trace into two sets of connections, A and B. If you can write a Bro policy script to determine for each connection whether it belongs to A or B, you can instruct Bro to write packets to an output trace on connection-by-connection basis. The function to call is:
# Dump original packets on the connection up to this point to the
# output trace, if any.
function dump_packets_of_connection%(c: connection%): any
Ruoming