Hi,
I am writing an anomaly detector using Bro. I have two questions.
1) I am trying to correlate traffic in the two directions of a connection. I am currently using the "DataSent" method of "TCP_Endpoint" class to do some processing when data is sent by an endpoint of a connection. I need to do so for the both the endpoints of a connection in order to correlate traffic in the two directions. Is there any other method that I can use, which gets invoked whenever data flows in either direction of a connection with some indication of whether the data was
2) I need to maintain the different endpoints in some sort of ArrayList/HashMap. I observed that there are already some list/queue implementations in Bro. Where can I find documentation about using these data structures regarding available methods / method parameters, etc.
Any help would be greatly appreciated.
Thanks and Regards,
Abhinay
Hi Abhinay,
1) I am trying to correlate traffic in the two directions of a
connection. I am currently using the "DataSent" method of "TCP_Endpoint"
class to do some processing when data is sent by an endpoint of a
connection.
For this type of analysis it might be better to write a Bro script instead of adding code directly to the engine.
TCP_Endpoint::DataSent() corresponds to the event:
event tcp_packet%(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string%);
Or if you want reassembled contents:
event tcp_contents%(c: connection, is_orig: bool, seq: count, contents: string%);
2) I need to maintain the different endpoints in some sort of
ArrayList/HashMap. I observed that there are already some list/queue
implementations in Bro. Where can I find documentation about using these
data structures regarding available methods / method parameters, etc.
You may use "table" and "set" in the Bro language. Please see scripts under bro/policy/ for examples.
Ruoming