[Bro] getting first results
kosinovsky1 at llnl.gov
Tue Jul 28 11:11:43 PDT 2009
I am trying to get my first results with BRO. I am just running
mt.bro on an existing tcpdump file (containing some DNS data). My
exact command is "bin/bro -r dns.cap share/bro/mt.bro"
This command run to completion without error and creates empty log
files for a number of policies loaded inside mt.bro. Also, if I put a
print statement inside mt.bro, I can see the output. However, If I
put print statements inside any of the functions defined in policies
loaded by mt.bro ("dns-lookup", "weird", etc.,) I cannot see any
results -- presumably these policies have to be invoked. The scripts
I am modifying to try to see these results are in share/bro
(share/bro/weird.bro, share/bro/dns-lookup.bro, etc.).
It appears to be straightforward, but I must be missing something conceptually.
More information about the Bro