[Zeek] Ryu Controller

[Priyatham Ganta]

Hi,

I'm trying to run Bro as IDS. Hence, I don't want to show all the logs on
the console.I just want to look at the alerts generated by Bro if there are
any attacks on the network. That's the reason I want to print only the
alerts and not logs.
How do I run Bro in IDS mode?

For Bro to run as IDS, there should be some policies configured with which
this application will differentiate between normal traffic and malicious
traffic. I want to look at those policies.

Can you help me with this?

Thanks

On Tue, 26 Nov 2019 at 10:54, Johanna Amann <johanna at icir.org> wrote:

> Hi,
>
> > How can I run bro for the current traffic and show the alerts on a
> > console
> > instead of logs?
>
> you can run it on the command line without using zeekctl/broctl using
> zeek (or bro) -i [interfacename]. However, logs will always written to
> files - it does not really make sense to write them to the console,
> which would make it hard to distinguish between the different log
> streams.
>
> Note - most Zeek logs are policy neutral and not really alerts…
>
> > Also where can I check the policies that are configured to Bro for
> > IDS?
>
> I don’t 100% get the questions. If you load misc/loaded-scripts in
> your configuration, you will get a loaded-scripts.log which will show
> you all script files that are loaded. The default configuration of Zeek
> loads most protocol analyzers and writes their log-files.
>
> > Also what is the difference between the broctl binary and bro binary?
>
> zeekctl/broctl is the management application to start zeek cluster
> setups. See e.g. https://github.com/zeek/zeekctl - or
> https://docs.zeek.org/en/stable/quickstart/ for a getting started guide
> that mentions this.
>
> Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20191126/182d9b3d/attachment.html