[Oisf-devel] Suricata, Bro and Broccoli

Victor Julien victor at inliniac.net
Mon Dec 3 14:04:47 UTC 2012


On 11/29/2012 05:49 PM, Daniel Wyschogrod wrote:
> I would very much appreciate some pointers to the portions of the Suricata source code that deals with the host tables and whatever hooks may be currently available.  However, some of the other sensors that we're working with involve things like connection fan-out and fan-in (how many servers is a client talking to, is a previously client-type machine newly behaving like a server and for what services, etc.) which involve aggregating connections and our initial thought was to use Bro to help with this.

Check:
src/flow-{bit|var}.ch
src/detect-flow{bits|var|int}.[ch]
for our current flow based var implementations.

Check
src/detect-iprep.c (in 1.4rc1/git master)
for how to access the host from a detect module.

Please let me know if you have questions.

Cheers,
Victor

> Dan
> ____________________
> Dan Wyschogrod
> 
> Senior Scientist
> Cyber Security
> Raytheon/BBN Technologies
> 
> dwyschogrod at bbn.com
> 
> 
> 
> 
> On Nov 29, 2012, at 11:40 AM, Victor Julien <victor at inliniac.net> wrote:
> 
>> On 11/29/2012 05:33 PM, Daniel Wyschogrod wrote:
>>> We are considering multi-flow and packet correlation for a number of our
>>> existing sensors that we want to port to a combination of Suricata
>>> and/or Bro environments.  Some examples include matching ICMP echo and
>>> echo reply  messages and counting various types of ICMP messages coming
>>> from individual IP addresses.  We were thinking of using Suricata to
>>> identify ICMP message types and then using Bro to do the counting per IP
>>> address, or something like that.  Our previous implementation used a
>>> specialized architecture.
>>
>> While I don't want to discourage building a bro-suri connection, I think
>> it's also worth exploring if the per ip tracking can be done in suri
>> alone. We already have a scalable host table in suricata, and adding
>> things like hostints, hostbits, etc (pretty much what we have for flows
>> currently) will not be hard. Maybe this could accomplish a lot of what
>> you need already.
>>
>>> Dan
>>>
>>>> Victor Julien <mailto:victor at inliniac.net>
>>>> November 29, 2012 11:14 AM
>>>>
>>>> We've been talking to the Bro guys about this, but as far as I know,
>>>> nothing has been done yet.
>>>>
>>>> What kind of multi-flow correlation are you looking for?
>>>>
>>>
>>> -- 
>>> ________________
>>> Dan Wyschogrod
>>>
>>> Senior Scientist
>>> Cyber Security
>>> Raytheon/BBN Technologies
>>>
>>> dwyschogrod at bbn.com
>>>
>>
>>
>> -- 
>> ---------------------------------------------
>> Victor Julien
>> http://www.inliniac.net/
>> PGP: http://www.inliniac.net/victorjulien.asc
>> ---------------------------------------------
>>
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Oisf-devel mailing list