[Bro-Dev] Option -z

Vern Paxson vern at icir.org
Wed May 25 20:56:49 PDT 2016

> Does anybody remember what Bro's option -z is for?

Well it's there in CHANGES, per the appended.  But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also reasonable.


0.9a8 Wed Feb 16 17:09:34 PST 2005


- Bro now has a geneal mechanism internal for traversing policy scripts
  (Umesh Shankar).  Various script analyses can be specified using the
  new -z flag.

  Currently, the one supported form of analysis is "-z notice", which
  prints all of the different types of notices that the script you've
  loaded can generate.  For example, "bro -z notice ftp" will generate:

	  Found NOTICE: BackscatterSeen
	  Found NOTICE: FTP_PrivPort
	  Found NOTICE: FTP_BadPort
	  Found NOTICE: PortScan
	  Found NOTICE: FTP_ExcessiveFilename
	  Found NOTICE: ScanSummary
	  Found NOTICE: AddressDropped
	  Found NOTICE: DroppedPackets
	  Found NOTICE: SensitiveConnection
	  Found NOTICE: FTP_UnexpectedConn
	  Found NOTICE: SSH_Overflow
	  Found NOTICE: FTP_Sensitive
	  Found NOTICE: TerminatingConnection
	  Found NOTICE: PasswordGuessing
	  Found NOTICE: AddressDropIgnored
	  Found NOTICE: AddressScan

More information about the bro-dev mailing list