[Bro] Off-line analysis
shonx001
shonx001 at umn.edu
Sun Dec 5 15:13:38 PST 2004
If so,
I first have to make "my own".bro, and then add the "my own.bro" file to
policy setting in bro.cfg?
What I'm wondering is to set up for general IDS OFF-Line test.
In my thought, it is not easy to test in Off-line in comparison with Snort,
although Bro performance is better than snort. :)
I really appreciate if you tell me know more specific method to use Bro in
off-line test.
Best Regards,
Taeshik
On 5 Dec 2004, Vern Paxson wrote:
> > When I try to off-line analysis with -r option, how can I use all Bro
> > rules?
>
> The notion of "all Bro rules" is not that well defined. There are a
large
> number (100+) of policy files in policy/*.bro, some of which are
incompatible
> with others (for example, print-filter.bro prints the BPF filter being
used
> and then exits).
>
> That said, here's what we use when to run against our internal test
suite:
>
> @load site
> @load mt
> @load tftp
> @load dns
> @load flag-irc
> @load smtp-relay
> @load software
> @load ssh
> @load worm
> @load backdoor.bro
> @load blaster.bro
> @load flag-warez.bro
> @load gnutella.bro
> @load http-abstract.bro
> @load http-body.bro
> @load http-reply.bro
> @load icmp.bro
> @load ssl-worm.bro
> @load stepping.bro
> @load synflood.bro
>
> This winds up loading a whole lot of the analysis.
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list