[Bro] Monitoring a directory and running bro on the PCAPs
Michał Purzyński
michalpurzynski1 at gmail.com
Fri Sep 30 14:42:00 PDT 2016
Either that or inotify that's runs bro with a few lines of Python code. Replaying is better because it won't create a backlogs or bros.
Or even a few lines in Python with inotify that starts replay?
> On 30 Sep 2016, at 23:25, Johanna Amann <johanna at icir.org> wrote:
>
> Hi,
>
> unless you have a way to replay the data to an interface that Bro can
> listen on (either by duplicating the traffic, or by using something like
> tcpreplay), I am not really aware of a good solution.
>
> Johanna
>
>> On Fri, Sep 30, 2016 at 09:19:15PM +0000, Art Maddalena wrote:
>> Thank you. Is it possible to stream the pcap data to bro in lieu of
>> monitoring a directory? Thanks!
>>
>> Art
>>
>>> On Fri, Sep 30, 2016 at 17:16 Johanna Amann <johanna at icir.org> wrote:
>>>
>>> Hi Art,
>>>
>>> that is the easiest way to do that, yes, just run Bro after the pcap files
>>> have been written. The only disadvantage of this approach is that you
>>> loose session state between runs of Bro; when you run Bro on the following
>>> file, it will not parse any data from tcp sessions that started in the
>>> previous file.
>>>
>>> Johanna
>>>
>>>> On Fri, Sep 23, 2016 at 01:26:50PM -0400, Art Maddalena wrote:
>>>> Does anyone have experience using Bro to run its analysis on PCAPs being
>>>> written to a directory in an automated fashion?
>>>> Should a cron just be run at a lag using bro -r and script options?
>>>> Thank you,
>>>>
>>>> -Art
>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list