12 Dec
2011
12 Dec
'11
1:29 a.m.
Hello!
I want to ask you if BRO ids can totally replace the following software:
- nprobe
- ngrep
- tcpdump
- and tcpflow
Thank you in advance!
panos
12 Dec
12 Dec
7:19 a.m.
New subject: [Bro] nprobe, ngrep, tcpdump and tcpflow -like behavior of BRO ids?
On Dec 12, 2011, at 4:29 AM, Panos Sakkos wrote:
I want to ask you if BRO ids can totally replace the
following software:
• nprobe
• ngrep
• tcpdump
• and tcpflow
Instead of pointing to tools and asking if Bro can replace them, could you explain tasks
you need to accomplish with a network monitoring tool? All of those tools have a lot of
functionality and Bro certainly doesn't implement every bit of functionality they
have. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
8:08 a.m.
New subject: [Bro] nprobe, ngrep, tcpdump and tcpflow -like behavior of BRO ids?
I am sorry for my incomplete question.
Here are the functionalities we need:
nprobe => convert raw network traffic to netflow format
ngrep => extract fields from incoming and outgoing HTTP traffic (url, referer, ...)
tcpdump => store size-limited TCP session (for an incoming SSH connection for example)
tcpflow => reconstruct TCP flows for given sessions (given source ip for example)
Thank you,
Panos
On Dec 12, 2011, at 4:19 PM, Seth Hall wrote:
On Dec 12, 2011, at 4:29 AM, Panos Sakkos wrote:
I want to ask you if BRO ids can totally replace
the following software:
• nprobe
• ngrep
• tcpdump
• and tcpflow
Instead of pointing to tools and asking if Bro can replace them, could you explain tasks
you need to accomplish with a network monitoring tool? All of those tools have a lot of
functionality and Bro certainly doesn't implement every bit of functionality they
have. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
10:15 a.m.
New subject: [Bro] nprobe, ngrep, tcpdump and tcpflow -like behavior of BRO ids?
On Dec 12, 2011, at 11:08 AM, Panos Sakkos wrote:
nprobe => convert raw network traffic to netflow
format
Bro doesn't output netflow, but we have a connection analyzer and scripts that output
a file named conn.log which is similar but with more information.
ngrep => extract fields from incoming and outgoing
HTTP traffic (url, referer, …)
I don't know if I would say that is a capability of ngrep. I guess in some cases it
works for that, but the Bro 2.0 beta does a much better job.
tcpdump => store size-limited TCP session (for an
incoming SSH connection for example)
tcpdump doesn't even do this (that I know of). We have a tool named Time Machine
that can do this and more though. It should be getting more attention and work done on it
soon too.
tcpflow => reconstruct TCP flows for given sessions
(given source ip for example)
Yes
Try the 2.0 beta from our site. It's much easier to begin using that the current 1.5
release. You should be able to have some output in just a few minutes. Our quick start
guide is available here:
http://www.bro-ids.org/documentation-beta/quickstart.bro.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
3849
days inactive
3849
days old
3 comments
2 participants
participants (2)
-
Panos Sakkos -
Seth Hall