[Bro] broctl reading from pcap files
vat at mnworks.dk
Mon Sep 15 04:02:20 PDT 2014
I'm using BRO in Security Onion and I need to test the traffic captured
from a deployment in a test environment. Instead of monitoring an
interface, i want to read from a directory containing pcap files (and/or
a large pcap file). SO uses broctl in its scripts to start/manage BRO
but I don't know if there is an argument to add in any of broctl config
files (node.cfg, broctl.cfg) that will make BRO read from PCAP files.
I've also looked into BROs cli and if I were to use this it would be a
problem because of the way logs are being stored in SO - in timestamped
folders and a "current" folder.
My questions are:
- can broctl read from PCAP files?
- can i use BROs cli to save the log files in a SO fashion (timestamped
directories and others) without additional bash?
MN Works ApS - www.mnworks.dk
Telephone (DK) : +45 50 36 93 72
Blog/Website : http://truica-victor.com
E-Mail : vat at mnworks.dk
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro