broctl reading from pcap files

Victor-Alexandru_Tru · September 15, 2014, 11:02am

Hello,

I’m using BRO in Security Onion and I need to test the traffic captured from a deployment in a test environment. Instead of monitoring an interface, i want to read from a directory containing pcap files (and/or a large pcap file). SO uses broctl in its scripts to start/manage BRO but I don’t know if there is an argument to add in any of broctl config files (node.cfg, broctl.cfg) that will make BRO read from PCAP files.

I’ve also looked into BROs cli and if I were to use this it would be a problem because of the way logs are being stored in SO - in timestamped folders and a “current” folder.

My questions are:

can broctl read from PCAP files?
can i use BROs cli to save the log files in a SO fashion (timestamped directories and others) without additional bash?

Thanks!

Seth_Hall3 · September 15, 2014, 12:44pm

- can broctl read from PCAP files?

Yes, look into the "process" command in broctl.

- can i use BROs cli to save the log files in a SO fashion (timestamped directories and others) without additional bash?

There was a question like that on the mailing list recently.
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-August/007346.html

The gist is that you need to set a rotation interval and then provide a program which will call to do the actual log rotation.

.Seth

Topic		Replies	Views
Reading pcap files from Python wrapper? Zeek	2	87	May 6, 2022
broctl write output pcap Zeek	2	77	May 6, 2022
log rotation Zeek	2	99	May 6, 2022
Bro 2.2 File Extraction (RHEL 6.5) Zeek	10	90	May 6, 2022
HELP? bro-pkg hosom/file-extraction to write files when reading pcaps Zeek	2	72	May 6, 2022

broctl reading from pcap files

Related topics