6 Dec
2011
6 Dec
'11
1:01 a.m.
I want to analysis traffic in/out specific host (identified by ip) in trace file,
where processing for in/out streams are different. So i would be a problem to
notify the script what is my target host. A python script was used to generate
the command lines, such as
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
There is a way to config ip in files, but i think that would meet its limited
on multi-thread processing.
or broccoli-python suit for me? how would it communicate with a trace file based bro
server?
Readon Shaw
6 Dec
6 Dec
7:23 a.m.
New subject: [Bro] Is it applicapable to specific target ip using command line in bro?
On Tue, Dec 6, 2011 at 4:01 AM, Readon Shaw <xydarcher(a)163.com> wrote:
**
I want to analysis traffic in/out specific host (identified by ip)
in trace file,
where processing for in/out streams are different. So i would be a problem
to
notify the script what is my target host. A python script was used to
generate
the command lines, such as
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind
of command.
Is there any mechanism in bro to fulfull this requirement?
Could you just script it to pass the ip as a filter to bro?
bro -r <file.pcap> -f "host a.b.c.d" myscript.bro?
Sridhar
There is a way to config ip in files, but i think that would meet its
limited
on multi-thread processing.
or broccoli-python suit for me? how would it communicate with a trace file
based bro server?
------------------------------
Readon Shaw
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
7:24 a.m.
bro -r xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
You can set any &redef variable from the command line. e.g. if yyyy.bro contains:
const target_ip: addr &redef;
event bro_init()
{
print target_ip;
}
Then you can do the following:
$ bro yyyy.bro target_ip=1.2.3.4
1.2.3.4
Does that help?
+Jon
9:11 a.m.
New subject: [Bro] Is it applicapable to specific target ip using command line in bro?
$ bro
yyyy.bro target_ip=1.2.3.4
Hah, I didn't know about that. Is that new with 2.x? 
1:14 p.m.
New subject: [Bro] Is it applicapable to specific target ip using command line in bro?
On Dec 6, 2011, at 11:58 AM, Matthias Vallentin wrote:
Nope, it's been there for a long time.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
$ bro
yyyy.bro target_ip=1.2.3.4
Hah, I didn't know about that. Is that new with 2.x?
5:19 p.m.
New subject: [Bro] Is it applicapable to specific target ip using command line in bro?
bro -r
xxx.pcap yyyy.bro.
But here the bro script can't get the target ip through this kind of command.
Is there any mechanism in bro to fulfull this requirement?
You can set any &redef variable from the command line. e.g. if yyyy.bro contains:
const target_ip: addr &redef;
event bro_init()
{
print target_ip;
}
Then you can do the following:
$ bro yyyy.bro target_ip=1.2.3.4
1.2.3.4
Does that help?
+Jon
3854
days inactive
3855
days old
6 comments
5 participants
participants (5)
-
Matthias Vallentin -
Readon Shaw -
Seth Hall -
Siwek, Jonathan Luke -
sridhar basam