loading modules and automatically using custom scripts


I have 2 questions:

  1. how to load custom scripts in the core of Bro ?

  2. is the extract files script different because it’s not in the “policy” folder ?

I’m trying to understand how Bro custom scripts work.

As far as I understand, custom scripts are supposed to go in the “policy” section,and then are called from the local.bro script.

To test this behavior I created a script that flags every DNS query.

It just generates a notice and logs it.

I run bro on my nslookups pcap (specifying the dns logger script in the command line) and it works, but when I add : @load dummy/dummy-dns to local.bro and just run bro without specifying the additional file I see no notice.log file. (my script is in the folder /opt/bro/share/bro/policy/dummy that I created for the occasion)

Then my problem is with extracting files, my local.bro contains:

@load file-extraction/extract (in the folder /opt/bro/share/bro) and it doesn’t extract files if I just run bro without specifying the script in the command line.

broctl scripts shows my scripts so I thought they were used now by the bro instance but nothing. It doesn’t log the files I download, it doesn’t notice me when I do a DNS query.

How to do that in Bro and use custom script by default for all the incoming traffic ?