[Bro] Standard Bro checks on tcpdump files.What that really means?
Aashish Sharma
init.conf at gmail.com
Mon Dec 23 18:46:09 PST 2013
When running bro -r dumpfile ; you have to specify a policy file or a set of policy files which are used to process the dumpfile.
The most default option is to use local.bro (found in <your_bro_install>/share/bro/site/ folder.
So this becomes: bro -r dumpfile local.bro
Once successful, looking in the log directory for a file called loaded_scripts.log. This log will list the policy files which were used for this specific bro run and analysis.
(if you are running bro as a daemon after doing broctl start, then you can use broctl scripts all to get a listing of loaded_policies as well)
Aashish
On Dec 23, 2013, at 5:58 PM, Luca Renaud <renaud.luca at gmail.com> wrote:
> When we do a : bro -r dumpfile ,on a previously recorded dump file what are the standard checks Bro really executes? ALL that come defined within the Bro scripts directory ( export BROPATH=/...........)? Backdoor.bro,etc.etc.? Or just A PART of it?
> Thanks.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list