I want to analysis traffic in/out specific host (identified by ip) in trace file,
where processing for in/out streams are different. So i would be a problem to
notify the script what is my target host. A python script was used to generate
the command lines, such as
bro -r xxx.pcap yyyy.bro.
But here the bro script can’t get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
There is a way to config ip in files, but i think that would meet its limited
on multi-thread processing.
or broccoli-python suit for me? how would it communicate with a trace file based bro server?
I want to analysis traffic in/out specific host (identified by ip) in trace file,
where processing for in/out streams are different. So i would be a problem to
notify the script what is my target host. A python script was used to generate
the command lines, such as
bro -r xxx.pcap yyyy.bro.
But here the bro script can’t get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
Could you just script it to pass the ip as a filter to bro?
bro -r <file.pcap> -f “host a.b.c.d” myscript.bro?
Sridhar
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
You can set any &redef variable from the command line. e.g. if yyyy.bro contains:
const target_ip: addr &redef;
event bro_init()
{
print target_ip;
}
Then you can do the following:
$ bro yyyy.bro target_ip=1.2.3.4
1.2.3.4
Does that help?
+Jon
$ bro yyyy.bro target_ip=1.2.3.4
Hah, I didn't know about that. Is that new with 2.x?
Matthias
$ bro yyyy.bro target_ip=1.2.3.4
Hah, I didn't know about that. Is that new with 2.x?
Shouldn't be, I remember seeing a chunk of code in the lexer when I first had to hack on it that adds "redef" statements for any X=Y command line parameters.
+Jon
Nope, it's been there for a long time.
.Seth
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
You can set any &redef variable from the command line. e.g. if yyyy.bro contains:
const target_ip: addr &redef;
event bro_init()
{
print target_ip;
}
Then you can do the following:
$ bro yyyy.bro target_ip=1.2.3.4
1.2.3.4
Does that help?
+Jon
This is wonderful.
It's fit for me very well.