I want to make a system to analyze pcap files. So far I'm using Bro (for JSON output) and the Elastic-stack for visualizing the data. This works great, but there is a lot of traffic in the pcaps from ad-servers, that I want to filter out. I've been looking at modifying bro to do the job when 'processing' pcap's. But I think it would be easier/better to remove the unwanted traffic before processing with bro, for example with tshark. I found some lists of ad-server IP's and domains at the following urls:
These list's are not complete, but they do cover many ad-servers that I want to exclude from the pcap's I want to analyze.
asked 04 May '17, 02:45 r00t070 edited 04 May '17, 02:46 |