Hi, I need some help with the BitTorrent protocol analyzer. My aim is to log info_hash values for
files downloaded over bittorrent.
I can see bittorrent-related events in base/bif/plugins/Bro_BitTorrent.events.bif.bro but these
events don't seem to be getting raised. I'm testing with a .pcap generated on my laptop while
opening Transmission and starting a Fedora torrent download. I'm running Bro 2.3.1 on RHEL 6,
installed via the RPM.
I'm new to Bro and have been reading a lot of the documentation but I'm still not sure exactly how
I'm supposed to go about achieving this, so if someone could give me a pointer to get started that
would be greatly appreciated.
Thanks,
Nick.
Hi, I need some help with the BitTorrent protocol analyzer. My aim is to log info_hash values for
files downloaded over bittorrent.
The bittorrent analyzer has undergone some bitrot and doesn't currently have scripts that enable it.
I can see bittorrent-related events in base/bif/plugins/Bro_BitTorrent.events.bif.bro but these
events don't seem to be getting raised.
If you look at the base scripts for other protocols, you will see where the analyzer is attached to connections by a port heuristic or by a signature heuristic in the accompanying .sig file (in scripts/base/protocols/xxx/).
�
Generally, unless you're prepared to do some heavier core and scriptland work, bittorrent isn't going to be something you can just use right now.
.Seth
Hi Seth, thanks for the response.
The bittorrent analyzer has undergone some bitrot and doesn't currently have scripts that enable it.
Curious to know what you mean by bitrot exactly? Was it not complete in the first place, not
maintained to keep up with changes in Bro itself..?
If you look at the base scripts for other protocols, you will see where the analyzer is attached to connections by a port heuristic or by a signature heuristic in the accompanying .sig file (in scripts/base/protocols/xxx/).
�
Generally, unless you're prepared to do some heavier core and scriptland work, bittorrent isn't going to be something you can just use right now.
BitTorrent analysis would be quite useful to me so I'll have a look around. Even if I don't get it
working I should at least learn a bit about Bro 
- Nick
Curious to know what you mean by bitrot exactly? Was it not complete in the first place, not
maintained to keep up with changes in Bro itself..?
It had some small issues and hasn't been updated to use the file analysis api internally. There were also never any 2.x style scripts written for it.
BitTorrent analysis would be quite useful to me so I'll have a look around. Even if I don't get it
working I should at least learn a bit about Bro
Please ask if you have any questions! You'll learn a lot about Bro if you do it.
.Seth