Knowing Bro
Another tool to analyze network traffic is Bro. Bro is a very powerful tool, which is often positioned as an IDS, but the possibilities are much wider with Bro. Discussing all of them in a single chapter is almost impossible, so we will consider only some of them. One of the many advantages of Bro is the ability to use ready-made parsers different protocols.
For example, the following are some of them:
- DHCP
- DNS
- FTP
- HTTP
- POP3
- SMTP
- SSH
The list of these protocols is constantly expanding.
By default, Bro applies the protocol analyzers to traffic, and it records the results in the log files that correspond to different protocols.
Bro also allows you to write your own handlers in a language called Bro. For each event that occurs during the processing of the event may be caused by its handler.
For example, consider the following simple event handler discovery file:
event file_new (f: fa_file) {
local fname = fmt ("% s", f $ id)
Files :: add_analyzer (f, Files :: ANALYZER_EXTRACT, ...
