[Bro] Off-line analysis II

Christian Kreibich christian at whoop.org
Fri Dec 10 02:20:35 PST 2004


On Fri, 2004-12-10 at 06:58, shonx001 wrote:
> Dear Great Researchers,
> When I tried to do Bro Offline test, I just got many ***.log files about
> dos dump, normal dump, and so on.
> However, when I tried to do that in real time mode, I could have various
> alert about real time packets. 
> Could you let me know how I can obtain more realistic Bro alert result in
> OFF-Line Analysis?

there is absolutely no difference between using trace files (I presume
that's what you mean by "offline") and real traffic in the output
generated by Bro. What you get as output when reading in trace files is
exactly the same you'd get if you had seen those packets on a live


More information about the Bro mailing list