[Bro] Capturing events
Robin Sommer
robin at icir.org
Thu Feb 2 10:34:59 PST 2006
On Thu, Feb 02, 2006 at 11:03 -0500, David Vasil wrote:
> I noticed the capture-events.bro policy and loaded it; it has been
> generating an events.bst file in my logs directory with data inside of
> it. My question is: what can I get out of this file? Is this just a
> raw packet capture of anything that is flagged by a policy?
It's a capture of all events which were generated during run-time,
e.g., things like connection_established and http_request.
Events.bst contains all raised events including their timestamps and
parameters, so it's a very convenient way to understand what's going
on during operation (for large traffic streams it gets huge though
and may therefore be more suitable for smaller experiments).
You can display the contents of the file with the -x option:
bro -x events.bst any-scripts-used-in-the-original-Bro-run.bro
> Also, I tried replaying the file using bro -R events.bst and it appears
> to be waiting for standard input.
The replay mechanism might actually be broken right now due to
internal changes. I'll look at it.
> I searched through the documentation and saw no reference to 'replay'
> 'events.bst' or even '.bst'.
Uhm, that's right. Unfortunately, the best documentation of new
features is still the "CHANGES".
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list