[Bro] Off-line analysis II
shonx001
shonx001 at umn.edu
Fri Dec 10 08:09:26 PST 2004
If so, you mean that first real traffic result and second trace result have
just different log file name?
In the case of real time, "attack"."server name".date info
In the case of off-line, "attack".log
???
active_log
-rw-r--r-- 1 root root 0 2004-12-11 01:05 alarm.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 conn.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 ftp.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 http.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 787 2004-12-11 01:05 info.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
notice.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
signatures.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 smtp.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05
software.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 12288 2004-12-11 01:05 weird.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 0 2004-12-11 01:05 worm.cist.04-12-11_01.05.10
-rw-r--r-- 1 root root 5478 2004-12-10 14:04 alarm.log
-rw-r--r-- 1 root root 3828 2004-12-10 14:04 backdoor.log
-rw-r--r-- 1 root root 4430446 2004-12-10 14:04 conn.log
-rw-r--r-- 1 root root 992902 2004-12-10 14:04 dns.log
-rw-r--r-- 1 root root 122129 2004-12-10 14:04 ftp.log
-rw-r--r-- 1 root root 12178262 2004-12-10 14:04 http.log
-rw-r--r-- 1 root root 124416 2004-12-10 14:04 icmp.log
-rw-r--r-- 1 root root 5376365 2004-12-10 14:04 mime.log
-rw-r--r-- 1 root root 9499 2004-12-10 14:04 notice.log
-rw-r--r-- 1 root root 561990 2004-12-10 14:04 relay.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 signatures.log
-rw-r--r-- 1 root root 1681584 2004-12-10 14:04 smtp.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 software.log
-rw-r--r-- 1 root root 5899 2004-12-10 14:04 ssh.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 step.log
-rw-r--r-- 1 root root 2505550 2004-12-10 14:04 weird.log
-rw-r--r-- 1 root root 0 2004-12-10 14:02 worm.log
drwxr-xr-x 2 root root 4096 2004-12-10 14:03 xscript.log
On 10 Dec 2004, Christian Kreibich wrote:
> Hi,
>
> On Fri, 2004-12-10 at 06:58, shonx001 wrote:
> > Dear Great Researchers,
> >
> > When I tried to do Bro Offline test, I just got many ***.log files
about
> > dos dump, normal dump, and so on.
> > However, when I tried to do that in real time mode, I could have
various
> > alert about real time packets.
> >
> > Could you let me know how I can obtain more realistic Bro alert result
in
> > OFF-Line Analysis?
>
> there is absolutely no difference between using trace files (I presume
> that's what you mean by "offline") and real traffic in the output
> generated by Bro. What you get as output when reading in trace files is
> exactly the same you'd get if you had seen those packets on a live
> network.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list