about Bro

Hi Bro-Team,

Wanted to make it clear... For example I am running the Bro as follows,

bro -r <tcpdump file> mt -w <some file>

And in the location where I am running this line it generates the files:
- alarm.log,
- ftp.log,
- weird.log,
- etc...

Which one I have to take into account when I will be looking for labeled attacks? I mean, I already have the set of attacks (for example DARPA 1999 Training data, Week 2 data). Now, which file I have to look for the attacks, to find out if the Bro found any attacks? For the current time I am looking for the alarm.log file to see if the Bro found correct ones. Am I doing right? Thanks in advance.

Also wanted to make it clear for example in SNORT for analyzing the tcpdump files i am writing,

snort -r <tcpdump file> -c /etc/snort/snort.conf -l <some place>

And now i want to do the same but with Bro, what i am writing is

bro -r <tcpdump file> mt -w <some file>

Am I doing it right? If not, please can you explain it to me? Thanks in advance.

regards.

Hi,

you should check out the manuals at http://www.bro-ids.org/manuals.html
to learn about the meaning of the individual log types. Note that Bro,
like any other IDS, will need careful tuning in case you want it to
alarm you of all the attacks labelled in the DARPA set.