Packet Level Analysis

Hello,

This is probably a very silly question, but I just wanted to get some opinions. Is it possible/feasible to do packet level analysis with bro (e.g., looking at the entire packet as a string to find similar patterns between packets)? Or is bro too high-level to make this an option, as it seems that the relevant events (new_packet, packet_contents, etc.) are exceedingly slow.

If this is possible, however, would I be able to do this in bro scripts or would I need to do something like write the module in C/C++ to hook into bro?

Cheers,
Gehana

The sorts of places where I see this being useful are well served by the Signatures framework.

The traceroute detector in policy/misc is a pretty good example of this ‘sort’ of thing.

Or is bro too high-level to make this an option, as it seems that the relevant events (new_packet, packet_contents, etc.) are exceedingly slow.

Bro is unfortunately too high level to this right now. There are a few things being worked on that might provide better interfaces for doing this analysis but they aren't functional yet. (bro script compiler and binpac++)

would I need to do something like write the module in C/C++ to hook into bro?

You could certainly write something like that. Our analyzers are abstracted in our repository so it should be fairly easy to see how they're constructed and to write your own, assuming you're comfortable with c/c++. We definitely recognize that falling back to c/c++ is suboptimal though, but at the moment it's all we have to solve your problem well.

  .Seth