[Bro] Traffic analysis by Bro
robin at icir.org
Fri Nov 10 09:10:41 PST 2006
On Thu, Nov 09, 2006 at 12:32 -0600, Abhinay Kampasi wrote:
> What traffic does Bro monitor by default (i.e. what pcap capture filter
> does it use)?
It builds the pcap filter dynamically at startup depending on which
scripts you load. Just load the script print-filter to see how it
looks like in your particular setup.
> Does this modify the global filter? I mean do all the policy scripts
> (and not only my script) see the SSH traffic?
Yes. Yes. There's always only one pcap filter in use.
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro