I am looking at extending Bro to help with traffic isolation. What I need to be able to do is differentiate between traffic that matches a given set of criteria and that which does not. In general, I know this can be done through the policies, and I believe I can do most of what I want within a policy. There are a few things that from reading the documentation and some initial policy testing that I am not certain about.
1) Is it possible to denote particular packets in a capture? I know most of the analysis is done on a flow/connection basis, but I was wondering if any information regarding the pcap was kept in the streams/records that are passed?
2) Is it possible to get the content from http sessions? I want to be able to validate that the content is that which I know to be on a given site. I know there is a content_length and data_length values in the http_message record type, but I do not see much relating to the actual content.
Thanks for any help,
-Reed