I just bumped into a situation where I wanted to tell Bro to record
packets to an output pcap file, but do so only under certain
circumstances. In my case this essentially boiled down to "only the
first packet in a 5-tuple TCP/UDP flow that carries app-layer data", but
let's imagine any decision that depends on policy- or in-core state.
I got it to work by hacking around in the core, but it wasn't pretty.
Does Bro have a mechanism for doing this nicely? In the rewriter
framework, maybe (is that documented anywhere btw)? Thanks!
I just bumped into a situation where I wanted to tell Bro to record
packets to an output pcap file, but do so only under certain
circumstances. In my case this essentially boiled down to "only the
first packet in a 5-tuple TCP/UDP flow that carries app-layer data", but
let's imagine any decision that depends on policy- or in-core state.
I got it to work by hacking around in the core, but it wasn't pretty.
Does Bro have a mechanism for doing this nicely? In the rewriter
framework, maybe (is that documented anywhere btw)? Thanks!
Yes, there's some primitive mechanism to do that. Sorry, it's undocumented, but let me give it a try here:
# Set the flag to true to enable "TCP source packet writer" (sorry, no UDP)
# All packets will be kept until they are dumping or end of connection. So please be very careful in using it for live traffic.
redef dump_selected_source_packets = T;
event tcp_packet(c: connection, ...)
{
if ( <this is the first packet of the connection carrying some
)
dump_packets_of_connection(c); # dump all packets up to this point for connection c.
}
And you can imagine calling dump_packets_of_connection() in all kinds of other events.
Currently there's no built-in function to discard packets that we do not want to dump (so there's no way to dump the exact 10th packet of a connection), but the code is already there (see class TCP_SourcePacketWriter), so it's fairly simple to implement.
global dump_current_packet: function(file_name: string): bool;
which can be called at any time and, well, dumps the current packet
into the given file. If the file already exists, the packet is
appended. If you always dump into the same file, Bro is smart enough
to keep it open all the time.