[Bro] Off-line analysis II

shonx001 shonx001 at umn.edu
Fri Dec 10 08:09:26 PST 2004


If so, you mean that first real traffic result and second trace result have
just different log file name?
In the case of real time, "attack"."server name".date info
In the case of off-line, "attack".log  
???


 active_log
-rw-r--r--  1 root root     0 2004-12-11 01:05 alarm.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05 conn.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05 ftp.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05 http.cist.04-12-11_01.05.10
-rw-r--r--  1 root root   787 2004-12-11 01:05 info.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05
notice.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05
signatures.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05 smtp.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05
software.cist.04-12-11_01.05.10
-rw-r--r--  1 root root 12288 2004-12-11 01:05 weird.cist.04-12-11_01.05.10
-rw-r--r--  1 root root     0 2004-12-11 01:05 worm.cist.04-12-11_01.05.10


-rw-r--r--  1 root root     5478 2004-12-10 14:04 alarm.log
-rw-r--r--  1 root root     3828 2004-12-10 14:04 backdoor.log
-rw-r--r--  1 root root  4430446 2004-12-10 14:04 conn.log
-rw-r--r--  1 root root   992902 2004-12-10 14:04 dns.log
-rw-r--r--  1 root root   122129 2004-12-10 14:04 ftp.log
-rw-r--r--  1 root root 12178262 2004-12-10 14:04 http.log
-rw-r--r--  1 root root   124416 2004-12-10 14:04 icmp.log
-rw-r--r--  1 root root  5376365 2004-12-10 14:04 mime.log
-rw-r--r--  1 root root     9499 2004-12-10 14:04 notice.log
-rw-r--r--  1 root root   561990 2004-12-10 14:04 relay.log
-rw-r--r--  1 root root        0 2004-12-10 14:02 signatures.log
-rw-r--r--  1 root root  1681584 2004-12-10 14:04 smtp.log
-rw-r--r--  1 root root        0 2004-12-10 14:02 software.log
-rw-r--r--  1 root root     5899 2004-12-10 14:04 ssh.log
-rw-r--r--  1 root root        0 2004-12-10 14:02 step.log
-rw-r--r--  1 root root  2505550 2004-12-10 14:04 weird.log
-rw-r--r--  1 root root        0 2004-12-10 14:02 worm.log
drwxr-xr-x  2 root root     4096 2004-12-10 14:03 xscript.log



On 10 Dec 2004, Christian Kreibich wrote:
> Hi,
> 
> On Fri, 2004-12-10 at 06:58, shonx001 wrote:
> > Dear Great Researchers,
> > 
> > When I tried to do Bro Offline test, I just got many ***.log files
about
> > dos dump, normal dump, and so on.
> > However, when I tried to do that in real time mode, I could have
various
> > alert about real time packets. 
> > 
> > Could you let me know how I can obtain more realistic Bro alert result
in
> > OFF-Line Analysis?
> 
> there is absolutely no difference between using trace files (I presume
> that's what you mean by "offline") and real traffic in the output
> generated by Bro. What you get as output when reading in trace files is
> exactly the same you'd get if you had seen those packets on a live
> network.
> 
> Cheers,
> Christian.
> -- 
> ________________________________________________________________________
>                                           http://www.cl.cam.ac.uk/~cpk25
>                                                     http://www.whoop.org
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 





More information about the Bro mailing list