Monitoring a directory and running bro on the PCAPs

Does anyone have experience using Bro to run its analysis on PCAPs being
written to a directory in an automated fashion?
Should a cron just be run at a lag using bro -r and script options?
Thank you,


Hi Art,

that is the easiest way to do that, yes, just run Bro after the pcap files
have been written. The only disadvantage of this approach is that you
loose session state between runs of Bro; when you run Bro on the following
file, it will not parse any data from tcp sessions that started in the
previous file.


Thank you. Is it possible to stream the pcap data to bro in lieu of monitoring a directory? Thanks!



unless you have a way to replay the data to an interface that Bro can
listen on (either by duplicating the traffic, or by using something like
tcpreplay), I am not really aware of a good solution.


Either that or inotify that's runs bro with a few lines of Python code. Replaying is better because it won't create a backlogs or bros.

Or even a few lines in Python with inotify that starts replay?

I have made a packetbroker for this. Use tcpdump + netcat to the packetbroker for each interface. Then with one bro consume all packets from the broker.
Its a concept test and was written in perl.


Thank you all for the advice. I am trying not to duplicate capturing efforts as we use a different in house developed open sourced tool (Moloch) for capture as well. Currently I am running bro concurrently with suri and would love to reduce the overhead of performing both capture and analysis with bro. Thanks again all! I will think about using our npbs for a duplicate traffic stream and look into the other suggestions mentioned as well.


Hmm, it probably wouldn't be that hard to write a 'pcapdir' pkt source for bro. Basically it would just need to:

while(!terminating) {
    pcap_files = all .pcap files in SOURCE_DIR
    sort pcap_files by oldest # hopefully there is only one file
    for each pcap file {
        open and process packets into bro
        delete pcap #or move to a DONE_DIR/.
    if no files in pcap_files

You'd just need the other tool to hardlink or move the pcaps into the SOURCE_DIR as they are done being written to.

This would also fix the tcp session issues.