[Bro] Off-line analysis II

scott campbell scampbell at lbl.gov
Fri Dec 10 10:18:57 PST 2004 

The logs in question are just being named differently by the differing 
mechanisms that are running bro.  When bro runs, it checks for an 
environmental variable called BRO_LOG_SUFFIX which it appends to the end 
of the file name.  When you manually run bro, typically this is not 
defined and you get ex:

alarm.log

When you start bro via the bro.rc script, the value is defined and you 
get a file name of :

alarm.cist.04-12-11_01.05.10

This was put in place to prevent file name collisions on long running boxes.

What bro puts into the files is the same in both cases.

Is this helpful?

scott


shonx001 wrote:
> If so, you mean that first real traffic result and second trace result have
> just different log file name?
> In the case of real time, "attack"."server name".date info
> In the case of off-line, "attack".log  
> ???
> 
> 
>  active_log
> -rw-r--r--  1 root root     0 2004-12-11 01:05 alarm.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05 conn.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05 ftp.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05 http.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root   787 2004-12-11 01:05 info.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05
> notice.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05
> signatures.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05 smtp.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05
> software.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root 12288 2004-12-11 01:05 weird.cist.04-12-11_01.05.10
> -rw-r--r--  1 root root     0 2004-12-11 01:05 worm.cist.04-12-11_01.05.10
> 
> 
> -rw-r--r--  1 root root     5478 2004-12-10 14:04 alarm.log
> -rw-r--r--  1 root root     3828 2004-12-10 14:04 backdoor.log
> -rw-r--r--  1 root root  4430446 2004-12-10 14:04 conn.log
> -rw-r--r--  1 root root   992902 2004-12-10 14:04 dns.log
> -rw-r--r--  1 root root   122129 2004-12-10 14:04 ftp.log
> -rw-r--r--  1 root root 12178262 2004-12-10 14:04 http.log
> -rw-r--r--  1 root root   124416 2004-12-10 14:04 icmp.log
> -rw-r--r--  1 root root  5376365 2004-12-10 14:04 mime.log
> -rw-r--r--  1 root root     9499 2004-12-10 14:04 notice.log
> -rw-r--r--  1 root root   561990 2004-12-10 14:04 relay.log
> -rw-r--r--  1 root root        0 2004-12-10 14:02 signatures.log
> -rw-r--r--  1 root root  1681584 2004-12-10 14:04 smtp.log
> -rw-r--r--  1 root root        0 2004-12-10 14:02 software.log
> -rw-r--r--  1 root root     5899 2004-12-10 14:04 ssh.log
> -rw-r--r--  1 root root        0 2004-12-10 14:02 step.log
> -rw-r--r--  1 root root  2505550 2004-12-10 14:04 weird.log
> -rw-r--r--  1 root root        0 2004-12-10 14:02 worm.log
> drwxr-xr-x  2 root root     4096 2004-12-10 14:03 xscript.log
> 
> 
> 
> On 10 Dec 2004, Christian Kreibich wrote:
> 
>>Hi,
>>
>>On Fri, 2004-12-10 at 06:58, shonx001 wrote:
>>
>>>Dear Great Researchers,
>>>
>>>When I tried to do Bro Offline test, I just got many ***.log files
> 
> about
> 
>>>dos dump, normal dump, and so on.
>>>However, when I tried to do that in real time mode, I could have
> 
> various
> 
>>>alert about real time packets. 
>>>
>>>Could you let me know how I can obtain more realistic Bro alert result
> 
> in
> 
>>>OFF-Line Analysis?
>>
>>there is absolutely no difference between using trace files (I presume
>>that's what you mean by "offline") and real traffic in the output
>>generated by Bro. What you get as output when reading in trace files is
>>exactly the same you'd get if you had seen those packets on a live
>>network.
>>
>>Cheers,
>>Christian.
>>-- 
>>________________________________________________________________________
>>                                          http://www.cl.cam.ac.uk/~cpk25
>>                                                    http://www.whoop.org
>>
>>
>>_______________________________________________
>>Bro mailing list
>>bro at bro-ids.org
>>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041210/d3aa26d1/attachment.bin

More information about the Bro mailing list