[Bro] Monitoring a directory and running bro on the PCAPs
Johanna Amann
johanna at icir.org
Fri Sep 30 14:16:40 PDT 2016
Hi Art,
that is the easiest way to do that, yes, just run Bro after the pcap files
have been written. The only disadvantage of this approach is that you
loose session state between runs of Bro; when you run Bro on the following
file, it will not parse any data from tcp sessions that started in the
previous file.
Johanna
On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
> Does anyone have experience using Bro to run its analysis on PCAPs being
> written to a directory in an automated fashion?
> Should a cron just be run at a lag using bro -r and script options?
> Thank you,
>
> -Art
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list