I’m using BRO in Security Onion and I need to test the traffic captured from a deployment in a test environment. Instead of monitoring an interface, i want to read from a directory containing pcap files (and/or a large pcap file). SO uses broctl in its scripts to start/manage BRO but I don’t know if there is an argument to add in any of broctl config files (node.cfg, broctl.cfg) that will make BRO read from PCAP files.
I’ve also looked into BROs cli and if I were to use this it would be a problem because of the way logs are being stored in SO - in timestamped folders and a “current” folder.
My questions are:
- can broctl read from PCAP files?
- can i use BROs cli to save the log files in a SO fashion (timestamped directories and others) without additional bash?