Dear Bro team,
I have a question about Bro. Does Bro generate only one event for one packet/connection? Or Bro will generate multiple events for one packet/connection?
I have read the paper “Bro: A system for Decting Network Intruder in Real-time.” The example showed Bro did generate a “Finger” event when the connection meet more conditions instead of a TCP_connection event. Is this always true?
Thanks!
It is possible for Bro to generate more than one event.
For example, it is possible for one UDP packet to generate
both "udp_reply" and "udp_contents" events.
Similarly, an HTTP request will cause Bro to generate an
"http_request" event and a "tcp_packet" event.
All of the Bro events are described in the documentation:
https://www.bro.org/sphinx/script-reference/proto-analyzers.html
https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html