[Bro] Standard Bro checks on tcpdump files.What that really means?
init.conf at gmail.com
Mon Dec 23 18:46:09 PST 2013
When running bro -r dumpfile ; you have to specify a policy file or a set of policy files which are used to process the dumpfile.
The most default option is to use local.bro (found in <your_bro_install>/share/bro/site/ folder.
So this becomes: bro -r dumpfile local.bro
Once successful, looking in the log directory for a file called loaded_scripts.log. This log will list the policy files which were used for this specific bro run and analysis.
(if you are running bro as a daemon after doing broctl start, then you can use broctl scripts all to get a listing of loaded_policies as well)
On Dec 23, 2013, at 5:58 PM, Luca Renaud <renaud.luca at gmail.com> wrote:
> When we do a : bro -r dumpfile ,on a previously recorded dump file what are the standard checks Bro really executes? ALL that come defined within the Bro scripts directory ( export BROPATH=/...........)? Backdoor.bro,etc.etc.? Or just A PART of it?
> Bro mailing list
> bro at bro-ids.org
More information about the Bro