Monitoring a directory and running bro on the PCAPs

Art_Maddalena · September 23, 2016, 5:26pm

Does anyone have experience using Bro to run its analysis on PCAPs being
written to a directory in an automated fashion?
Should a cron just be run at a lag using bro -r and script options?
Thank you,

-Art

johanna · September 30, 2016, 9:16pm

Hi Art,

that is the easiest way to do that, yes, just run Bro after the pcap files
have been written. The only disadvantage of this approach is that you
loose session state between runs of Bro; when you run Bro on the following
file, it will not parse any data from tcp sessions that started in the
previous file.

Johanna

Art_Maddalena · September 30, 2016, 9:19pm

Thank you. Is it possible to stream the pcap data to bro in lieu of monitoring a directory? Thanks!

Art

johanna · September 30, 2016, 9:25pm

Hi,

unless you have a way to replay the data to an interface that Bro can
listen on (either by duplicating the traffic, or by using something like
tcpreplay), I am not really aware of a good solution.

Johanna

Michal_Purzynski1 · September 30, 2016, 9:42pm

Either that or inotify that's runs bro with a few lines of Python code. Replaying is better because it won't create a backlogs or bros.

Or even a few lines in Python with inotify that starts replay?

Daniel_Guerra · September 30, 2016, 9:50pm

Hi,
I have made a packetbroker for this. Use tcpdump + netcat to the packetbroker for each interface. Then with one bro consume all packets from the broker.
https://hub.docker.com/r/danielguerra/packetbroker/
Its a concept test and was written in perl.

Regards,
Daniel

Art_Maddalena · September 30, 2016, 10:01pm

Thank you all for the advice. I am trying not to duplicate capturing efforts as we use a different in house developed open sourced tool (Moloch) for capture as well. Currently I am running bro concurrently with suri and would love to reduce the overhead of performing both capture and analysis with bro. Thanks again all! I will think about using our npbs for a duplicate traffic stream and look into the other suggestions mentioned as well.

Art

Azoff_Justin_S · October 1, 2016, 3:15am

Hmm, it probably wouldn't be that hard to write a 'pcapdir' pkt source for bro. Basically it would just need to:

while(!terminating) {
    pcap_files = all .pcap files in SOURCE_DIR
    sort pcap_files by oldest # hopefully there is only one file
    for each pcap file {
        open and process packets into bro
        delete pcap #or move to a DONE_DIR/.
    }
    if no files in pcap_files
        sleep(10ms)
}

You'd just need the other tool to hardlink or move the pcaps into the SOURCE_DIR as they are done being written to.

This would also fix the tcp session issues.

Topic		Replies	Views
Using Bro in offline mode (pcap spooling) Zeek	2	134	May 6, 2022
Bro as a fancy pcap filter Zeek	4	83	May 6, 2022
Log file issues Zeek	2	100	May 6, 2022
trouble of running multiple bro instances Zeek	2	81	May 6, 2022
feature proposal: bro batch processing Zeek	2	102	May 6, 2022

Monitoring a directory and running bro on the PCAPs

Related topics