[Bro] Using Bro IDS in offline analysis

Justin Azoff JAzoff at uamail.albany.edu
Fri Feb 12 08:54:03 PST 2010


On Fri, Feb 12, 2010 at 07:36:38AM -0800, ssm_as wrote:
> Shortly, I have several network binary file is PCAP and TCPDUMP format. I
> want to parse these files with Bro and get the bro alerts in machine readab;e
> format (txt, csv, or whaterver).
> 
> 1- Is that possible ( Usually I use snort and it is very easy to accomplish
> but I am planning to compare between Snort and Bro)?

Definitely!

> 2- What are the configurations that I need?

Not much...
    
    bro -f 'ip' -C -r your.pcap brolite

will run 'your.pcap' through bro while loading the brolite policy(which loads most things)
you could run it through specific policies by just running something like 

    bro -f 'ip' -C -r your.pcap  http-request smtp irc

That should get you started.. you'll probably want to start writing your own
policy scripts to detect the specific things you are looking for and output
them in the format you want.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list