Hi everybody!
Where can I find a documentation about inter-bro communication? I can't find anything in the archive or the manuals.
I'm using bro 0.9a9, because there is a wireless edition developed at
Dresden University of Technology in Germany. I need the inter-bro communication to develop distributed policies.
Thanks for all hints!
Sandro
Hi Sandro,
start by reading remote.bro and the explanation of how to configure
event communication in policies in the Broccoli documentation:
http://www.bro-ids.org/broccoli/c85.html#AEN643
Sorry for the lack of documentation -- please do bug us if you can't get
it to work.
Christian Kreibich wrote:
Hi Sandro,
start by reading remote.bro and the explanation of how to configure
event communication in policies in the Broccoli documentation:http://www.bro-ids.org/broccoli/c85.html#AEN643
Sorry for the lack of documentation -- please do bug us if you can't get
it to work.Hi everybody!
Where can I find a documentation about inter-bro communication? I can't
find anything in the archive or the manuals.
I'm using bro 0.9a9, because there is a wireless edition developed at
Dresden University of Technology in Germany. I need the inter-bro
communication to develop distributed policies.Thanks for all hints!
Sandro
Cheers,
Christian.
I have a few pages describing what you need to do to set up inter-bro
communication. See:
http://www.nersc.gov/~scottc/software/bro/broToBro.html
There are several other pages regarding this functionality and some
basic policy scripts that can be found off my main page at:
Let me know if you have any problems with this.
thanks!
scott
Adding to the replies by Christian and Scott, please note that the
communication code in 0.9 is really old; there have been a lot of
changes (and bug fixes) been done since then, and I'd actually
strongly recommend to use a current version when doing any inter-Bro
communication.
That said, perhaps the "wireless edition" can be ported to the
current version? What kind of enhancements does it include? (Anyone
from Dresden happening to read this...?)
Robin
Hi,
When writing an Analyzer for a protocol, say X that runs on top of
TCP connection, should I always include the 'Deliver' function. Is it the
function that gets called every time a X packet arrives at the interface?
Thanks,
Dhanesh.
Please note that the analyzer interface is going to change quite a
bit with the upcoming 1.2 release (real soon now :-), and I
recommend to use new API for any new code. There is actually already
some documentation available for it in the Bro Wiki (see "API for
dynamic protocol detection").
That said, for a TCP-based analyzer you most probably don't want to
work on packets but on the reassembled payload stream. With the new
API, TCP_ApplicationAnalyzer::DeliverStream() is the entry point for
that.
Robin