I am using bro 2.5 to process PCAP dumps and am storing both the raw PCAP and the bro logs in Hbase. I already have an acceptable pipeline for getting both bro logs and PCAP into Hbase, but I want to be able to have each packet linked back to the conn.log entry (using the uid field).
Currently, I am doing this in Hbase, but would rather have bro do it for me. Is it possible to have bro create either individual PCAP files for each log entry or a single log file that listed individual packets (presumably with a packet offset in the PCAP file) along with the uid from the conn.log file?
I saw this option in YAF and was hoping it existed in bro.
Sorry, forgot to add the [bro] in the subject lineā¦
Sorry, forgot to add the [bro] in the subject line...
It actually is added automatically 
> I am using bro 2.5 to process PCAP dumps and am storing both the raw
> PCAP and the bro logs in Hbase. I already have an acceptable pipeline
> for getting both bro logs and PCAP into Hbase, but I want to be able
> to have each packet linked back to the conn.log entry (using the uid
> field).
> Currently, I am doing this in Hbase, but would rather have bro do it
> for me. Is it possible to have bro create either individual PCAP
> files for each log entry or a single log file that listed individual
> packets (presumably with a packet offset in the PCAP file) along with
> the uid from the conn.log file?
Let me prefix this with the caveat of "this is probably not a good idea,
because Bro is not built for this use-case". That being said - I don't
think that Bro exposes the packet offset of a pcap file, so that is out.
However, it should indeed be possible to create individual pcap files for
each conn.log entry.
The way I would try doing this is catching the new_packet event
https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-new_packet
and then using dump_current_packet to write the packet to a pcap file
https://www.bro.org/sphinx/scripts/base/bif/bro.bif.bro.html#id-dump_current_packet
(dump_current_packet appends to already existing filess).
Note that I did not test if this really works and this probably carries a
hefty performance penalty.
Johanna