[Bro] Off-line analysis

Sun Dec 5 15:39:26 PST 2004

Thanks for your kind explanation.
Anyhow, what I really want to know is to do some ID attack ananlsys using
Bro.
If you have experienced such things with Bro, please let me know.
I get some tcpdump raw file, but it is not easy to handle Bro for offline
test.

On 5 Dec 2004, john mcnicholas wrote:
> > When I try to off-line analysis with -r option, how can I use all Bro
> > rules?
> 
> I'm taking at stab at this since I've been wrestling with a very similar
> situation for a class.  Anyway, if by rules you mean snort type
signatures
> you can do one of the following:
> 
> a. on the command line via -s rulefilename
> 
> b. in a policy script using the "signature_files" variable.  i'm been
doing
> the following:
> 
> 	redef signature_files += "snort-default.sig";
> 	redef signature_files += "worm.sig";
> 
> In addition I threw in an event to dump some info out.
> 
> event  bro_init()
> {
> 	print  fmt("-- signature_files = [%s]", signature_files);
> 
> 	# the http_servers is readable but by no means pretty.
> 	print  fmt("-- http_servers = [%s]", http_servers);
> }
> 
> Note: I'm no expert but I believe http_servers is signficant for a number
of
> the snort signatures.
> 
> For what its worth, I've been attempting to compare snort vs bro for a
class
> (perhaps like you are) and evidently I'm doing something wrong since I
get
> dozens of unique alerts (or alarms) in snort, but only 3 unique ones in
bro.
> I'm sure it is  a configuration problem but if anyone wants to volunteer
any
> suggestions it would be appreciated.
> 
> thanks.
> 
> john
> 
> 	
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 