[Bro-Dev] Option -z

Robin Sommer robin at icir.org
Mon May 23 11:59:01 PDT 2016

Does anybody remember what Bro's option -z is for?

    -z|--analyze <analysis>        | run the specified policy file analysis

Turns out the only supported "analysis" is "notice":

# bro -r x.pcap -z notice
Found NOTICE: PacketFilter::Dropped_Packets
Found NOTICE: PacketFilter::Install_Failure
Found NOTICE: Signatures::Signature_Summary
Found NOTICE: PacketFilter::Compile_Failure
Found NOTICE: Signatures::Multiple_Sig_Responders
Found NOTICE: Signatures::Sensitive_Signature
Found NOTICE: Signatures::Count_Signature
Found NOTICE: PacketFilter::Too_Long_To_Compile_Filter
Found NOTICE: Signatures::Multiple_Signatures

This looks very specific for hard-coded event-engine functionality. I
propose to remove unless somebody still sees a use for this?


Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin

More information about the bro-dev mailing list