Help: Experiment


I am new to this whole Bro IDS and would like to learn more about it.

Right now, I am trying to experiment something with Bro to learn more.

My simple experiment setup is as bellow.

I am simply trying to get the message distribution between an encrypted and without encrypted traffic of a malware.
I have virtual nodes running and I am generating traffic using tcpreply and .pcap files.

And I have pointed Bro to the virtual interface and it successfully captures the packets and generates the by default logs.
But I want to distinguish a malware traffic and non malware traffic in encrypted and non encrypted scenarios.
Right now Bro sees everything and logs everything but I want log of just the malicious traffic.

With this email, I am attaching the .pcaps I am using to generate the traffic. (Link to pcaps:
If you have simple script to do this do you mind sharing it with me? And I would greatly appreciate if you could explain a bit how to actually run it.

Moroever, if you have some other .pcaps of any kind of malicious traffic and if you think that would be easy to see the logs using them, I could use them as well.

Thank you so much!!

Priyal Shah