[Bro] tcpdump -w
Angelita de Cássia Corrêa
angelita at uol.com.br
Fri Jun 17 05:48:46 PDT 2005
Now, I test with ./bro -i eth0, and I think the bro detect the scans that I
simulated.
One question, I pretend to use two interfaces, one is the host managment,
I'll use it to simulated some attacks or scans and it has an IP address and
the other is the interface that will receive the alive traffic, this doesn't
have an IP address.
Do I need another interface, like the manual says or it's enogh to test the
Bro ids ?
Thanks!
Angelita
----- Original Message -----
From: "Christian Kreibich" <christian at whoop.org>
To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
Cc: "Bro List" <bro at bro-ids.org>
Sent: Thursday, June 16, 2005 6:02 PM
Subject: Re: [Bro] tcpdump -w
On Thu, 2005-06-16 at 16:46 -0300, Angelita de Cássia Corrêa wrote:
> I test the tcpdump -w only to test, but I will run Bro on a live traffic.
>
> Do I need to edit some policies files, like scan.bro, tcp.bro or others
> files?
No, it doesn't matter to the policy scripts whether the traffic comes
from trace files or a live network. The only difference is in the way
you start Bro (-i vs -r).
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list