Traffic analysis by Bro

Hi,

What traffic does Bro monitor by default (i.e. what pcap capture filter does it use)?

Suppose one of the policy scripts redefines the capture filter to monitor SSH traffic as follows:

"redef capture_filters += { ["xxxx"] = "tcp port 22" };"

Does this modify the global filter? I mean do all the policy scripts (and not only my script) see the SSH traffic?

Thanks,
Abhinay

What traffic does Bro monitor by default (i.e. what pcap capture filter
does it use)?

It builds the pcap filter dynamically at startup depending on which
scripts you load. Just load the script print-filter to see how it
looks like in your particular setup.

Does this modify the global filter? I mean do all the policy scripts
(and not only my script) see the SSH traffic?

Yes. Yes. There's always only one pcap filter in use.

Robin

There's always only one pcap filter in use.

(Nit: there can be two, if you use Bro's "secondary filter" capability,
which is designed to provide a lightweight, additional packet stream to
supplement the main analysis.)

    Vern

Thanks Robin,

So suppose my script wants to analyze only interactive traffic (for example
telnet, ssh), it will be have to explicitly ignore all packets not on ports
22/23 because the capture filter may have been modified by other scripts to
capture other traffic.

Regards,
Abhinay

Hmm... Yes and no. Yes because in terms of filtering Bro does not
keep track not which traffic is requested which script. But no
because you script will contain event handlers to implement your
detection logic. Many (though not all) events are thrown by
application-specific analyzers which only analyze "their" traffic.
E.g., the HTTP analyzer looks only at HTTP connections and thus
you're only going to see HTTP events for traffic on port 80 (or
whichever port it happens to use).

So, the bottom-line is that it depends on which events you're going
to analyze. Depending on that, you may or may not need to filter out
events which are irrlevant for you.

Robin

Thanks Robin,

Right now my script has the tcp_packet(...) event handler. I am assuming
that this event handler will be invoked for all TCP packets. Is that right?

Regards,
Abhinay

Abhinay, you don't need to worry about this: the semantic level at which
you're writing your script is far beyond the pcap filter specification.

Typically you will write your script based on event types that are
relevant to the traffic you are interested. For example, in the case of
an SSH policy script, you might implement handlers for the
ssh_client_version() and ssh_server_version() events, which only ever
get triggered for SSH traffic (potentially in a port-independent fashion
thanks to the new dynamic protocol detection framework).

Think of it this way: you configure Bro using a number of policy
scripts. These scripts together (and through other scripts they @load)
make sure that Bro captures all traffic and only the traffic necessary
to trigger the events you are interested in. At the same time, no events
can ever be triggered (with some caveats) on traffic they are not meant
for.

Cheers,
Christian.

Yes, that's right.

Robin