- is there an archive for this mailing list?
Yes. To get a list of past messages, send a message to firstname.lastname@example.org
with the subject "archive ls latest". To then retrieve a message, use
"archive get latest/<number>" for a message with the given number, or
"archive get latest/<number>*" for those messages that match the pattern
<number>* (so "archive get latest/*" retrieves all of the messages).
Unfortunately, when using a pattern each message matching the pattern is
returned in a separate message, which is a bit clunky.
- is there more documentation or any faqs specifically for Bro?
No, just what's distributed in the doc/ directory. This is a major hole.
- is a signature data file utilized? If so, what module(s) access it?
When you run Bro, you give it as an argument the policy file(s) to load.
The usual one you use is "mt", which corresponds to pub-policy/mt.bro.
It then @load's a bunch of other policy files, which are also found
- are there some example log files available?
See doc/conn-logs for a description of the connection summaries generated
by tcp.bro (I assume this is what you're asking about).
We are currently waiting for the hardware to install Bro, but are trying
to determine the formats of the signature file and log files for design
Bro doesn't have signature files per se. It instead has a language for
expressing event handlers. One common thing to do with these is express
signatures. It's also the policy files that write whatever logs you want
them to write. The default logs written are those produced by tcp.bro,
ftp.bro, and finger.bro. The language is informally described in the USENIX
paper, and meant to be fairly clear upon study of the policies distributed