[Bro-Dev] Option -z
vern at icir.org
Wed May 25 20:56:49 PDT 2016
> Does anybody remember what Bro's option -z is for?
Well it's there in CHANGES, per the appended. But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also reasonable.
0.9a8 Wed Feb 16 17:09:34 PST 2005
- Bro now has a geneal mechanism internal for traversing policy scripts
(Umesh Shankar). Various script analyses can be specified using the
new -z flag.
Currently, the one supported form of analysis is "-z notice", which
prints all of the different types of notices that the script you've
loaded can generate. For example, "bro -z notice ftp" will generate:
Found NOTICE: BackscatterSeen
Found NOTICE: FTP_PrivPort
Found NOTICE: FTP_BadPort
Found NOTICE: PortScan
Found NOTICE: FTP_ExcessiveFilename
Found NOTICE: ScanSummary
Found NOTICE: AddressDropped
Found NOTICE: DroppedPackets
Found NOTICE: SensitiveConnection
Found NOTICE: FTP_UnexpectedConn
Found NOTICE: SSH_Overflow
Found NOTICE: FTP_Sensitive
Found NOTICE: TerminatingConnection
Found NOTICE: PasswordGuessing
Found NOTICE: AddressDropIgnored
Found NOTICE: AddressScan
More information about the bro-dev