Hi Bro-Team,
Wanted to make it clear... For example I am running the Bro as follows,
bro -r <tcpdump file> mt -w <some file>
And in the location where I am running this line it generates the files:
- alarm.log,
- ftp.log,
- weird.log,
- etc...
Which one I have to take into account when I will be looking for labeled attacks? I mean, I already have the set of attacks (for example DARPA 1999 Training data, Week 2 data). Now, which file I have to look for the attacks, to find out if the Bro found any attacks? For the current time I am looking for the alarm.log file to see if the Bro found correct ones. Am I doing right? Thanks in advance.
Also wanted to make it clear for example in SNORT for analyzing the tcpdump files i am writing,
snort -r <tcpdump file> -c /etc/snort/snort.conf -l <some place>
And now i want to do the same but with Bro, what i am writing is
bro -r <tcpdump file> mt -w <some file>
Am I doing it right? If not, please can you explain it to me? Thanks in advance.
regards.