[Bro] Off-line analysis

shonx001 shonx001 at umn.edu
Sun Dec 5 15:13:38 PST 2004

If so, 
I first have to make "my own".bro, and then add the "my own.bro" file to
policy setting in bro.cfg?

What I'm wondering is to set up for general IDS OFF-Line test.
In my thought, it is not easy to test in Off-line in comparison with Snort,
although Bro performance is better than snort. :)

I really appreciate if you tell me know more specific method to use Bro in
off-line test.

Best Regards,

On 5 Dec 2004, Vern Paxson wrote:
> > When I try to off-line analysis with -r option, how can I use all Bro
> > rules?
> The notion of "all Bro rules" is not that well defined.  There are a
> number (100+) of policy files in policy/*.bro, some of which are
> with others (for example, print-filter.bro prints the BPF filter being
> and then exits).
> That said, here's what we use when to run against our internal test
> 	@load site
> 	@load mt
> 	@load tftp
> 	@load dns
> 	@load flag-irc
> 	@load smtp-relay
> 	@load software
> 	@load ssh
> 	@load worm
> 	@load backdoor.bro
> 	@load blaster.bro
> 	@load flag-warez.bro
> 	@load gnutella.bro
> 	@load http-abstract.bro
> 	@load http-body.bro
> 	@load http-reply.bro
> 	@load icmp.bro
> 	@load ssl-worm.bro
> 	@load stepping.bro
> 	@load synflood.bro
> This winds up loading a whole lot of the analysis.
> 		Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list