[Bro] Trace Execution with broctl

Will baxterw3232 at gmail.com
Mon Apr 4 12:23:27 PDT 2011 

On Mon, Apr 4, 2011 at 2:55 PM, Seth Hall <seth at icir.org> wrote:

>
> On Apr 4, 2011, at 10:27 AM, Will wrote:
>
> > Is there currently a way to run an offline trace using broctl?
>
> This is actually currently partially implemented in a branch.  The problem
> with it is that it brings up a lot of questions about how it should work and
> how things should be handled from within BroControl.  What I would
> personally like to see (but probably won't happen initially) is clustered
> tracefile processing.
>
> Once we figure out a way forward on the read command, we can get it
> finished and integrated.  Please file the ticket still if you don't mind.
>  If you could be especially explicit about what features you need/want or
> how you'd like it to work, that would be a huge help.
>
>
I found cached versions of both files below and was going to see if I could
get them working on our test box.

source: broctl/BroControl/config.py @ 6683ca9
Revision 6683ca9, 14.5 KB checked in by seth, 3 months ago (diff)
source: broctl/bin/broctl.in @ 6683ca9
Revision 6683ca9, 23.3 KB checked in by seth, 3 months ago (diff)
"read" command for doing offline tracefile analysis through broctl.
There is more work to go, but so far, reading a single tracefile on
a standalone node works and it should work on a "localhost" cluster
config too but hasn't been tested.

Again, I would be happy to add what I would like to see as far as features.
Initially, having the ability to create a 'trace execution file' that steps
through policy execution of an offline pcap file would be fabulous. This is
mostly because I am so new (*terrible) at programming and am learning C as I
go. So, with that in mind, I may include something that clearly already
exists or doesn't make any sense.


> Thanks!
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
Will
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110404/413a8c36/attachment.html

More information about the Bro mailing list