[Bro] Standard Bro checks on tcpdump files.What that really means?

Aashish Sharma init.conf at gmail.com
Mon Dec 23 18:46:09 PST 2013

When running  bro -r dumpfile ; you have to specify a policy file or a set of policy files which are used to process the dumpfile. 

The most default option is to use local.bro (found in <your_bro_install>/share/bro/site/ folder. 

So this becomes: bro -r dumpfile local.bro 

Once successful, looking in the log directory for a file called loaded_scripts.log. This log will list the policy files which were used for this specific bro run and analysis. 

(if you are running bro as a daemon after doing broctl start, then you can use broctl scripts all to get a listing of loaded_policies as well)


On Dec 23, 2013, at 5:58 PM, Luca Renaud <renaud.luca at gmail.com> wrote:

> When we do a :       bro -r dumpfile ,on a previously recorded dump file what are the standard checks Bro really executes? ALL that come defined within the Bro scripts directory ( export BROPATH=/...........)? Backdoor.bro,etc.etc.? Or just A PART of it?
>                                                    Thanks.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list