[Bro] Monitoring a directory and running bro on the PCAPs

Art Maddalena Art.Maddalena at teamaol.com
Fri Sep 30 14:19:15 PDT 2016


Thank you. Is it possible to stream the pcap data to bro in lieu of
monitoring a directory? Thanks!

Art

On Fri, Sep 30, 2016 at 17:16 Johanna Amann <johanna at icir.org> wrote:

> Hi Art,
>
> that is the easiest way to do that, yes, just run Bro after the pcap files
> have been written. The only disadvantage of this approach is that you
> loose session state between runs of Bro; when you run Bro on the following
> file, it will not parse any data from tcp sessions that started in the
> previous file.
>
> Johanna
>
> On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
> > Does anyone have experience using Bro to run its analysis on PCAPs being
> > written to a directory in an automated fashion?
> > Should a cron just be run at a lag using bro -r and script options?
> > Thank you,
> >
> > -Art
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160930/45b02dc8/attachment.html 


More information about the Bro mailing list