I am relatively new to Bro and was wondering if Bro has any way of
detecting encryption and/or plain text in the dpd module or anywhere els
e.
I have several use cases.
1. I wish to determine whether a program that has an auto-update feature
is sending the updates using encryption.
2. I wish to determine if a chat application is sending data encrypted.
I had a suggestion from my advisor that I should compress the data
being sent over the wire to see if it is compressible or not and use
that in determining whether a stream is using encryption or not.
Any suggestions or advice on this problem would be greatly appreciated.
That is amazing! Would I need to make additions in a script of mine in
order to differentiate between encryption and compression?
I had a suggestion from my advisor that I should compress the
data being sent over the wire to see if it is compressible or not
and use that in determining whether a stream is using encryption
or not.
Unfortunately we still haven’t added file and connection entropy analyzers yet. I have a file entropy analyzer floating around somewhere, but generally both of those are extremely easy to write. I think that Ben would need those to do what he’s trying to do.
These wouldn’t be written as scripts. Connection and file analyzers needs to be written as plugins or in the core. They are typically implemented in C++ or BinPAC.