[Bro] Question on bro anonymization
Roger Winslow
RWinslow at lbl.gov
Sat Jul 23 07:44:47 PDT 2005
Are you running on a fairly quiet link? If so it can take a long time
for packets to start showing up in the logs as data is flushed to files
when the handles fill, not when data arrives.
Try this in your site policy
@load file-flush # flush file writes at 10 second intervals
This will flush data to files every ten seconds. Note that the timer
used here is network_time(). This means that if no data arrives time
does not increment and nothing gets flushed to files.
This policy should only be used on links that are not very busy as the
file flushing can get expensive the more data there is.
Have you verified that Bro is actually running after you start it? Try ->
"./bro.rc status" If it shows not running then take a look at syslog or
the info file.
Also make sure Bro is listening on the interface you expect. Check the
info file for what interfaces Bro thinks it's listening on.
----- Original Message -----
From: Antonatos Spiros <antonat at ics.forth.gr>
Date: Saturday, July 23, 2005 3:01 am
Subject: [Bro] Question on bro anonymization
> Hi,
> I am trying to use the anonymization features of bro but it seems
> that I can't enable it since no packets are written to output or
> log files.
> Is there any documentation about these features? Any example policy
> scripts?
> Thanks in advance,
> Antonatos Spiros
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list