[Bro] Off-line analysis
Vern Paxson
vern at icir.org
Sun Dec 5 13:38:14 PST 2004
> When I try to off-line analysis with -r option, how can I use all Bro
> rules?
The notion of "all Bro rules" is not that well defined. There are a large
number (100+) of policy files in policy/*.bro, some of which are incompatible
with others (for example, print-filter.bro prints the BPF filter being used
and then exits).
That said, here's what we use when to run against our internal test suite:
@load site
@load mt
@load tftp
@load dns
@load flag-irc
@load smtp-relay
@load software
@load ssh
@load worm
@load backdoor.bro
@load blaster.bro
@load flag-warez.bro
@load gnutella.bro
@load http-abstract.bro
@load http-body.bro
@load http-reply.bro
@load icmp.bro
@load ssl-worm.bro
@load stepping.bro
@load synflood.bro
This winds up loading a whole lot of the analysis.
Vern
More information about the Bro
mailing list