[Bro] Off-line analysis II
scott campbell
scampbell at lbl.gov
Fri Dec 10 10:18:57 PST 2004
The logs in question are just being named differently by the differing
mechanisms that are running bro. When bro runs, it checks for an
environmental variable called BRO_LOG_SUFFIX which it appends to the end
of the file name. When you manually run bro, typically this is not
defined and you get ex:
alarm.log
When you start bro via the bro.rc script, the value is defined and you
get a file name of :
alarm.cist.04-12-11_01.05.10
This was put in place to prevent file name collisions on long running boxes.
What bro puts into the files is the same in both cases.
Is this helpful?
scott
shonx001 wrote:
> If so, you mean that first real traffic result and second trace result have
> just different log file name?
> In the case of real time, "attack"."server name".date info
> In the case of off-line, "attack".log
> ???
>
>
> active_log
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 alarm.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 conn.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 ftp.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 http.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 787 2004-12-11 01:05 info.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05
> notice.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05
> signatures.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 smtp.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05
> software.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 12288 2004-12-11 01:05 weird.cist.04-12-11_01.05.10
> -rw-r--r-- 1 root root 0 2004-12-11 01:05 worm.cist.04-12-11_01.05.10
>
>
> -rw-r--r-- 1 root root 5478 2004-12-10 14:04 alarm.log
> -rw-r--r-- 1 root root 3828 2004-12-10 14:04 backdoor.log
> -rw-r--r-- 1 root root 4430446 2004-12-10 14:04 conn.log
> -rw-r--r-- 1 root root 992902 2004-12-10 14:04 dns.log
> -rw-r--r-- 1 root root 122129 2004-12-10 14:04 ftp.log
> -rw-r--r-- 1 root root 12178262 2004-12-10 14:04 http.log
> -rw-r--r-- 1 root root 124416 2004-12-10 14:04 icmp.log
> -rw-r--r-- 1 root root 5376365 2004-12-10 14:04 mime.log
> -rw-r--r-- 1 root root 9499 2004-12-10 14:04 notice.log
> -rw-r--r-- 1 root root 561990 2004-12-10 14:04 relay.log
> -rw-r--r-- 1 root root 0 2004-12-10 14:02 signatures.log
> -rw-r--r-- 1 root root 1681584 2004-12-10 14:04 smtp.log
> -rw-r--r-- 1 root root 0 2004-12-10 14:02 software.log
> -rw-r--r-- 1 root root 5899 2004-12-10 14:04 ssh.log
> -rw-r--r-- 1 root root 0 2004-12-10 14:02 step.log
> -rw-r--r-- 1 root root 2505550 2004-12-10 14:04 weird.log
> -rw-r--r-- 1 root root 0 2004-12-10 14:02 worm.log
> drwxr-xr-x 2 root root 4096 2004-12-10 14:03 xscript.log
>
>
>
> On 10 Dec 2004, Christian Kreibich wrote:
>
>>Hi,
>>
>>On Fri, 2004-12-10 at 06:58, shonx001 wrote:
>>
>>>Dear Great Researchers,
>>>
>>>When I tried to do Bro Offline test, I just got many ***.log files
>
> about
>
>>>dos dump, normal dump, and so on.
>>>However, when I tried to do that in real time mode, I could have
>
> various
>
>>>alert about real time packets.
>>>
>>>Could you let me know how I can obtain more realistic Bro alert result
>
> in
>
>>>OFF-Line Analysis?
>>
>>there is absolutely no difference between using trace files (I presume
>>that's what you mean by "offline") and real traffic in the output
>>generated by Bro. What you get as output when reading in trace files is
>>exactly the same you'd get if you had seen those packets on a live
>>network.
>>
>>Cheers,
>>Christian.
>>--
>>________________________________________________________________________
>> http://www.cl.cam.ac.uk/~cpk25
>> http://www.whoop.org
>>
>>
>>_______________________________________________
>>Bro mailing list
>>bro at bro-ids.org
>>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041210/d3aa26d1/attachment.bin
More information about the Bro
mailing list