I am using Bro in my research work. My problem is that I am trying to write a Bro script that fires alarms based on TCP packet delays. I didn’t find any Bro event that could be handled at every received packet. I tried the tcp_packet and new_packet events but it seems that they are not fired at every received packet. Even I tried to write a signature that could be hit at every tcp packet but I found that unfortunately tcp signatures could be hit only once at the receiving of the first tcp packet.
Please help I am really tired…
I tried the tcp_packet and new_packet events but it seems that
they are not fired at every received packet.
They pretty much should indeed be generated for every received packet,
other than corner-case exceptions such as bad packet headers, or fragments
(there are a number of these). What I suspect is happening is that
the traffic you're interested in isn't matching the packet-capture filter,
so it's not being looked at in the first place. The way to check this
is to invoke bro using "-f tcp" to set the capture filter to all TCP packets.
(there are a number of these)
When you're running from a trace, you may want to use -C to also
process packets with invalid checksums.
Thank you for your quick feedback. It worked and my problem is solved.
Btw: I suspected my traces (I am using the MAWI traces) so I tried the new_packets and tcp_packets events on the ftp.traces used in your last workshop. The result was the same. However there is another thing that I would like to point to is when using the tcp_packet event handler. The event is fired two times at the same moment (network_time()) for the SYN and the SYN ACK message. Is it normal? I will manage to use during this stage the new_connection and the connection established events.
I will be using Bro for the rest of my phd (it is a great tool), my next step will be targeting VOIP and mainly SIP, is there any SIP analyser for Bro?
Quoting Vern Paxson <vern@ICIR.org>:
There's an older prototype of a basic SIP analyzer but that never made
it into the release. I'll forward you an older mail with more details.
However there is another thing that
I would like to point to is when using the tcp_packet event handler.
The event is fired two times at the same moment (network_time()) for
the SYN and the SYN ACK message. Is it normal?
For Bro 1.5, my guess is this is due to the default use of the "connection
compressor". Try running with "use_connection_compressor=F" on the command
line to turn it off.