[Zeek] Ryu Controller
Johanna Amann
johanna at icir.org
Tue Nov 26 10:54:38 PST 2019
Hi,
> How can I run bro for the current traffic and show the alerts on a
> console
> instead of logs?
you can run it on the command line without using zeekctl/broctl using
zeek (or bro) -i [interfacename]. However, logs will always written to
files - it does not really make sense to write them to the console,
which would make it hard to distinguish between the different log
streams.
Note - most Zeek logs are policy neutral and not really alerts…
> Also where can I check the policies that are configured to Bro for
> IDS?
I don’t 100% get the questions. If you load misc/loaded-scripts in
your configuration, you will get a loaded-scripts.log which will show
you all script files that are loaded. The default configuration of Zeek
loads most protocol analyzers and writes their log-files.
> Also what is the difference between the broctl binary and bro binary?
zeekctl/broctl is the management application to start zeek cluster
setups. See e.g. https://github.com/zeek/zeekctl - or
https://docs.zeek.org/en/stable/quickstart/ for a getting started guide
that mentions this.
Johanna
More information about the Zeek
mailing list