[Bro] Off-line analysis II
Christian Kreibich
christian at whoop.org
Fri Dec 10 02:20:35 PST 2004
Hi,
On Fri, 2004-12-10 at 06:58, shonx001 wrote:
> Dear Great Researchers,
>
> When I tried to do Bro Offline test, I just got many ***.log files about
> dos dump, normal dump, and so on.
> However, when I tried to do that in real time mode, I could have various
> alert about real time packets.
>
> Could you let me know how I can obtain more realistic Bro alert result in
> OFF-Line Analysis?
there is absolutely no difference between using trace files (I presume
that's what you mean by "offline") and real traffic in the output
generated by Bro. What you get as output when reading in trace files is
exactly the same you'd get if you had seen those packets on a live
network.
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list