Hi All,
Will I be able to detect torrent download using bro, i could see some torrent analyzers,is there any load statement should i include in local.bro or how to detect?
Thanks,
Hi,
Will I be able to detect torrent download using bro, i could see some
torrent analyzers,is there any load statement should i include in local.bro
or how to detect?
The Bittorrent analyzer in Bro has not been touched in years and I assume
that it is not functional (it certainly has not been tested by anyone in a
long time).
If you are interested in trying to enable it, you will have to write all
scripts yourself. As you probably are aware for most protocol analyzers we
have scripts in base/ that create the logfiles that are written to disk.
These scripts were never created for the Bittorrent analyzer - you would
have to write them from scratch (and as I mentioned I have doubts if it
still works).
So - short version - there is no quick and easy way to enable it
currently.
Johanna
I looked at this a while back, and didn't pursue it because the protocol
itself really doesn't have a lot of useful information. There are no
filenames or really any useful metadata in the protocol (that's all
contained in the .torrent file which is downloaded via a different
channel).
There might be something for DHT, but that would require parsing
a completely different protocol.
--Vlad
Johanna Amann <johanna@icir.org> writes: