[Bro] Dumping Sumstats on Bro Termination
Mike M
turbidtarantula at gmail.com
Tue Nov 13 05:54:17 PST 2018
I'm using Sumstats and I've got some pcaps I want to run through Bro.
Depending on the pcap duration I end up with interim results in Sumstats
when Bro exits, because the epoch threshold hasn't been crossed. That makes
sense, but I'd like to log any partial results that haven't crossed the
threshold when reading a pcap.
Is there a way to force the epoch_result function to run when Bro finishes
the pcap, or otherwise dump the partial results when Bro exits?
Thanks,
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181113/35d5a575/attachment.html
More information about the Bro
mailing list