Offline/Tracefile Traffic Classification with Bro

Hi,

I am completely new to Bro and have a few *naive* questions.
I have already tried to find the answer myself but to no avail.

I have to classify and isolate Internet traffics (or Internet flows)
which are stored in several trace files which are stored in compressed
pcap format.
For instance, given a trace file A, and a specific protocol, say, SSH,
what I have to do is generate another trace file which contains only
SSH packets from the trace A.
I do not need the SSH trace file automatically.
But I need at least the 5-tuple of the SSH flows that reside in the
trace A so that I can extract the SSH packets later.

As far as I understand from Bro wiki, Bro can recognize flows from the
tcpdump traces which is the same as pcap trace.
(Here is where I found it:
http://www.bro-ids.org/wiki/index.php/User_Manual:_Bulk_Traces_and_Off-line_Analysis)

Here are the questions:
1) Can I somehow obtain the flows or packets in the flows that match
some certain Bro rules and isolate them?
2) If so, how to do it? I have looked through online documents but
cannot get a concrete answer.
3) If not, can I at least identify which flows that match the rules?
4) Is there any rules-repository for Bro (like Snort rules)?

Thank you very much. :slight_smile:

Cheers,
Isara Anantavrasilp

Is this what you're looking for?

zcat A | tcpdump -r - -w - port 22 | bro -r - tcp; cat conn.log

Or if you need just the packets, skip Bro alltogether.

Robin

Hi,

thanks a lot for the answer.
That is what I am looking for, but not entirely.

As far as I understand from the syntax, it pushes every packet that
has TCP port 22 into Bro.
Bro then summarizes the connections in the conn.log (using tcp policy).
And you are right, I want just the packets so that I can process later.

However, it might work with SSH, but the reason I need Bro here is
that some applications that I am interested in require payload
signatures.
And even though it is SSH, I would like to be sure that it is actually
SSH (by analyzing the payload not just port number).

I just found out that with switch "-w <writefile>", Bro can output the packets.
If I use sth like

bro -r inputtrace.pcap -w outputtrace.pcap somesignature.bro,

would Bro return packets of all flows that match the policy in
somesignature.bro?

Another question, can Bro handle the compressed trace file by itself
or I always have to use zcat?

Thank you very much!

-- Isara

Hi

Thanks for the advice and sorry for the late reply.
I have looked into wireshark even before Bro.
The problem that I have is that I have to classify the flows in
several extra-large traces.
And it cannot be done without some automated tools.

Up to now I have written a simple classifier based on libtrace but I
am not sure if my own signatures (as well as the algorithm) are valid.
And since Bro is designed to do the classification and it already has
signatures available.
I am hoping that with Bro mechanism, I can classify packets/flows
easier with higher accuracy.

-- Isara

I am hoping that with Bro mechanism, I can classify packets/flows
easier with higher accuracy.

Bro cannot directly classify the connections *and* extract all of
their packets. You could use Bro to classify them first, and then
use some other tool to extract all relevant connections.

Perhaps NetDude might come in handy as well, see
Netdude and
perhaps Netdude

I'm sure one could also write a NetDude plugins which takes a list
of connections and then writes all packets belonging to one of them
into the output file.

Another question, can Bro handle the compressed trace file by itself
or I always have to use zcat?

You need to use zcat but that's usually not a problem.

Robin