getting first results

Greg_Kosinovsky · July 28, 2009, 6:11pm

I am trying to get my first results with BRO. I am just running mt.bro on an existing tcpdump file (containing some DNS data). My exact command is "bin/bro -r dns.cap share/bro/mt.bro"

This command run to completion without error and creates empty log files for a number of policies loaded inside mt.bro. Also, if I put a print statement inside mt.bro, I can see the output. However, If I put print statements inside any of the functions defined in policies loaded by mt.bro ("dns-lookup", "weird", etc.,) I cannot see any results -- presumably these policies have to be invoked. The scripts I am modifying to try to see these results are in share/bro (share/bro/weird.bro, share/bro/dns-lookup.bro, etc.).

It appears to be straightforward, but I must be missing something conceptually.

Thank you,

Greg

robin · July 29, 2009, 6:04pm

Note that mt is not loading dns.bro, which is the main DNS analysis
script. Try "bro -r dns.cap mt dns". Without dns.bro, Bro will not
look at DNS packets at all as they won't pass the packet filter,
which is also why you aren't seeing much activity at all.

(dns-lookup.bro tracks Bro's *own* DNS queries but nothing else).

Robin

Topic		Replies	Views
DNS query logging Zeek	4	78	May 6, 2022
new to bro, a few questions Zeek	2	65	May 6, 2022
Debugging policy Zeek	3	43	May 6, 2022
New Bro User Zeek	1	54	May 6, 2022
Bro on other Packet Trace Dumps. Zeek	13	69	May 6, 2022

getting first results

Related Topics