[Bro] Bro-ids dpd offline analysis

CS Lee geek00l at gmail.com
Wed Dec 6 00:47:47 PST 2006


Hey people,

I'm wondering are there any examples showing how to use bro with all the
argument options, I found it kinda confusing especially for people who new
to bro-ids and not much result when I tried googling. Maybe having all the
usage examples in the wiki would be much help.

By the way I'm wondering is there a way to do offline analysis to pcap using
dpd. I have checked out brolite.bro where it loads -

@load dpd
@load irc-bot
 @load dyn-disable
@load detect-protocols
@load detect-protocols-http
@load proxy

I tried to load all this to mt.bro, and running -

bro -r test.pcap mt

It runs fine if without loading all the dpd related analyzers, however I
have gone through all the bro workshop presentation slides and come across
the DPD performance test where it is used to run offline analysis against
large pcap files(The presentation that done by Robin). I would like to know
how the test is conducted and how one can do efficient offline bulk data
analysis with new bro-1.2.

Thanks.

-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20061206/c16b1199/attachment.html 


More information about the Bro mailing list