[Bro] Capturing events
dmvasil at ornl.gov
Thu Feb 2 08:03:27 PST 2006
I noticed the capture-events.bro policy and loaded it; it has been
generating an events.bst file in my logs directory with data inside of
it. My question is: what can I get out of this file? Is this just a
raw packet capture of anything that is flagged by a policy?
Also, I tried replaying the file using bro -R events.bst and it appears
to be waiting for standard input. When I try and specify a policy to
use on the command line it errors with:
[root at endace bro]# bin/bro -R /scratch/bro/logs/events.bst http
./site, line 1: error: read failed with "Is a directory"
I searched through the documentation and saw no reference to 'replay'
'events.bst' or even '.bst'.
Also, where can I get the start-capture-all script? Is this just a
wrapper around tcpdump; or does it grab the data before/after bro looks
at the stream? Unfortunately with the DAG capture cards I am testing
with, only one application can read from the device at a single time.
Any suggestions? Thanks!
| David Vasil <dmvasil at ornl.gov>
| Oak Ridge National Laboratory NCCS Division
| High Performance Computing Systems Administrator
| Bldg: 5600-A115 Phone: (865)241-5562
More information about the Bro