[Bro] Using Bro IDS in offline analysis

Vern Paxson vern at icir.org
Sun Feb 14 11:22:53 PST 2010

>     bro -f 'ip' -C -r your.pcap brolite
> will run 'your.pcap' through bro while loading the brolite policy(which loads most things)

Yep.  A minor nit: you shouldn't need "-f ip", as analysis scripts generally
include a tcpdump filter for the packets of interest; and you shouldn't
need -C *unless* the capture has bad checksums (which is usually not the
case, but can be for systems that are recording their own traffic, for


More information about the Bro mailing list