Hello Robin,
When using bro on offline mode and loading signatures.bro policy I get the following warning
suse:/usr/local/bro # export BROPATH="/usr/local/bro/site:/usr/local/bro/share/bro"
suse:/usr/local/bro # export BROHOME="/usr/local/bro"
suse:/usr/local/bro # bro -r /tmp/trace.pcap signatures
line 1: warning: event handlers never invoked:
line 1: warning: Drop::restore_dropped_address
BROPATH to points at the new policy folder.
BROPATH="/usr/local/bro/site:/usr/local/bro/share/bro"
It happens with every trace I've tried, but just in case here I'm attaching the sample used on the example.
Also I noticed there is no longer a 'site' folder. Where would be the right place to place our host-specific Bro policy file?
Best Regards
Miguel
trace.pcap (920 Bytes)