[Bro] Off-line analysis

john mcnicholas jomcn at mail.com
Sun Dec 5 14:25:14 PST 2004

> When I try to off-line analysis with -r option, how can I use all Bro
> rules?

I'm taking at stab at this since I've been wrestling with a very similar
situation for a class.  Anyway, if by rules you mean snort type signatures
you can do one of the following:

a. on the command line via -s rulefilename

b. in a policy script using the "signature_files" variable.  i'm been doing
the following:

	redef signature_files += "snort-default.sig";
	redef signature_files += "worm.sig";

In addition I threw in an event to dump some info out.

event  bro_init()
	print  fmt("-- signature_files = [%s]", signature_files);

	# the http_servers is readable but by no means pretty.
	print  fmt("-- http_servers = [%s]", http_servers);

Note: I'm no expert but I believe http_servers is signficant for a number of
the snort signatures.

For what its worth, I've been attempting to compare snort vs bro for a class
(perhaps like you are) and evidently I'm doing something wrong since I get
dozens of unique alerts (or alarms) in snort, but only 3 unique ones in bro.
I'm sure it is  a configuration problem but if anyone wants to volunteer any
suggestions it would be appreciated.




More information about the Bro mailing list