> I first have to make "my own".bro, and then add the "my own.bro" file to > policy setting in bro.cfg? No, bro.cfg is for (somewhat) turnkey operational use. For your own offline analysis, you should ignore it and just create your own file my-own.bro and then use bro -r tracefile my-own to process it. Vern