[Bro] Trace Execution with broctl
baxterw3232 at gmail.com
Mon Apr 4 12:23:27 PDT 2011
On Mon, Apr 4, 2011 at 2:55 PM, Seth Hall <seth at icir.org> wrote:
> On Apr 4, 2011, at 10:27 AM, Will wrote:
> > Is there currently a way to run an offline trace using broctl?
> This is actually currently partially implemented in a branch. The problem
> with it is that it brings up a lot of questions about how it should work and
> how things should be handled from within BroControl. What I would
> personally like to see (but probably won't happen initially) is clustered
> tracefile processing.
> Once we figure out a way forward on the read command, we can get it
> finished and integrated. Please file the ticket still if you don't mind.
> If you could be especially explicit about what features you need/want or
> how you'd like it to work, that would be a huge help.
I found cached versions of both files below and was going to see if I could
get them working on our test box.
source: broctl/BroControl/config.py @ 6683ca9
Revision 6683ca9, 14.5 KB checked in by seth, 3 months ago (diff)
source: broctl/bin/broctl.in @ 6683ca9
Revision 6683ca9, 23.3 KB checked in by seth, 3 months ago (diff)
"read" command for doing offline tracefile analysis through broctl.
There is more work to go, but so far, reading a single tracefile on
a standalone node works and it should work on a "localhost" cluster
config too but hasn't been tested.
Again, I would be happy to add what I would like to see as far as features.
Initially, having the ability to create a 'trace execution file' that steps
through policy execution of an offline pcap file would be fabulous. This is
mostly because I am so new (*terrible) at programming and am learning C as I
go. So, with that in mind, I may include something that clearly already
exists or doesn't make any sense.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro