[Bro] Using Bro IDS in offline analysis
JAzoff at uamail.albany.edu
Fri Feb 12 08:54:03 PST 2010
On Fri, Feb 12, 2010 at 07:36:38AM -0800, ssm_as wrote:
> Shortly, I have several network binary file is PCAP and TCPDUMP format. I
> want to parse these files with Bro and get the bro alerts in machine readab;e
> format (txt, csv, or whaterver).
> 1- Is that possible ( Usually I use snort and it is very easy to accomplish
> but I am planning to compare between Snort and Bro)?
> 2- What are the configurations that I need?
bro -f 'ip' -C -r your.pcap brolite
will run 'your.pcap' through bro while loading the brolite policy(which loads most things)
you could run it through specific policies by just running something like
bro -f 'ip' -C -r your.pcap http-request smtp irc
That should get you started.. you'll probably want to start writing your own
policy scripts to detect the specific things you are looking for and output
them in the format you want.
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro