[Bro] Monitoring a directory and running bro on the PCAPs
Johanna Amann
johanna at icir.org
Fri Sep 30 14:25:21 PDT 2016
Hi,
unless you have a way to replay the data to an interface that Bro can
listen on (either by duplicating the traffic, or by using something like
tcpreplay), I am not really aware of a good solution.
Johanna
On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote:
> Thank you. Is it possible to stream the pcap data to bro in lieu of
> monitoring a directory? Thanks!
>
> Art
>
> On Fri, Sep 30, 2016 at 17:16 Johanna Amann <johanna at icir.org> wrote:
>
> > Hi Art,
> >
> > that is the easiest way to do that, yes, just run Bro after the pcap files
> > have been written. The only disadvantage of this approach is that you
> > loose session state between runs of Bro; when you run Bro on the following
> > file, it will not parse any data from tcp sessions that started in the
> > previous file.
> >
> > Johanna
> >
> > On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
> > > Does anyone have experience using Bro to run its analysis on PCAPs being
> > > written to a directory in an automated fashion?
> > > Should a cron just be run at a lag using bro -r and script options?
> > > Thank you,
> > >
> > > -Art
> >
> > > _______________________________________________
> > > Bro mailing list
> > > bro at bro-ids.org
> > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >
> >
More information about the Bro
mailing list