[Bro] Capturing events
Robin Sommer
robin at icir.org
Thu Feb 2 11:25:14 PST 2006
On Thu, Feb 02, 2006 at 13:47 -0500, David Vasil wrote:
> Would you recommend using BRO_CREATE_TRACE_FILE=YES instead of
> event-capture.bro? Besides being in a raw tcpdump format, what other
> benefits does the trace file give me? Thanks!
The tracefile gives you a comprehensive view of the network
activity: it contains exactly the data on which Bro performed the
analysis; by refeeding the trace into Bro again, you get the same
results. The single most important advantage of a trace is that you
can manually examine it afterwards to see why Bro reported
something, in case the usual logs are not sufficient. If your
environmnent allows it (in terms of available resources, network
volume, and organisational restrictions), capturing a trace is a
good thing.
events.bst is a bit different: it does not contain the raw traffic
but a higher-level abstraction of it; you loose information as you
only see the data in a state when Bro has already performed its
first step of analysis (i.e. after a large reduction in volume).
This may or may not be sufficient to track things down, though
usually most of the data contained in events.bst ends up in some log
file anyway.
I usually do not routinely use capture-events with an operational
Bro. I Rather turn it on selectively if I need to understand how
exactly Bro generates events for some given input, e.g., to tweak a
policy script. Then it's really helpful as you exactly see what the
policy scripts see as well, including timing.
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list