I was wondering what we should do with the RPC and NFS-Analyzers in Bro
and the ones I've written. The analyzer that currently ship with Bro are
rather incomplete (NFS supports only fstat, lookup, and getattr
procedures) and the RPC analyzer doesn't log (only through conn$service
and conn$addl) and has problems with re-syncing to streams with gaps.
My RPC analyzer extends the stock one by adding a log-file (if desired)
and doing the re-sync properly. So I think it makes sense the RPC
analyzer into master (before or after 1.6)
My NFS analyzer does not fully implement all procedures yet either but
it has skeletons for all procedures (*), can track path- and filenames,
reads/writes/creates, and extract and deliver file content to the script
layer (e.g., for libmagic). I currently don't have the cycles to fully
implement the missing procedures in the near future (the NFS analyzer
does what I need for my analysis), however, I hope to do that some stage.
The analyzer has, however, been tested with a ton of data (150GB+), is
stable and works fine.
So, even though it's not fully implemented yet its a huge improvement
over the current one (which does pretty much nothing). I think it makes
sense to merge it into master as well (alternatively we might consider
removing the NFS analyzers altogether). (Also the NFS and RPC analyzers
are in the same topic branch, so merging just one will require quite a
bit of surgery)
(*) it will report which not-implemented procedure has been called, its
size and its success status.
What are your thoughts?
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA