[Bro] Question on bro anonymization

Antonatos Spiros antonat at ics.forth.gr
Sat Jul 23 08:24:10 PDT 2005


I read traffic from a 2GB trace but my problem is I don't have any example
policy scripts that can help me write anonymization policies.  

Antonatos Spiros
 
 

> -----Original Message-----
> From: Roger Winslow [mailto:RWinslow at lbl.gov]
> Sent: Saturday, July 23, 2005 5:45 PM
> To: Antonatos Spiros
> Cc: Bro at bro-ids.org; antonat at ics.forth.gr
> Subject: Re: [Bro] Question on bro anonymization
> 
> Are you running on a fairly quiet link?  If so it can take a long time
> for packets to start showing up in the logs as data is flushed to files
> when the handles fill, not when data arrives.
> 
> Try this in your site policy
> @load file-flush        # flush file writes at 10 second intervals
> 
> This will flush data to files every ten seconds.  Note that the timer
> used here is network_time().  This means that if no data arrives time
> does not increment and nothing gets flushed to files.
> 
> This policy should only be used on links that are not very busy as the
> file flushing can get expensive the more data there is.
> 
> Have you verified that Bro is actually running after you start it?  Try ->
> "./bro.rc status"  If it shows not running then take a look at syslog or
> the info file.
> 
> Also make sure Bro is listening on the interface you expect.  Check the
> info file for what interfaces Bro thinks it's listening on.
> 
> ----- Original Message -----
> From: Antonatos Spiros <antonat at ics.forth.gr>
> Date: Saturday, July 23, 2005 3:01 am
> Subject: [Bro] Question on bro anonymization
> 
> > Hi,
> > 	I am trying to use the anonymization features of bro but it seems
> > that I can't enable it since no packets are written to output or
> > log files.
> > Is there any documentation about these features? Any example policy
> > scripts?
> > Thanks in advance,
> > Antonatos Spiros
> >
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >




More information about the Bro mailing list