new to bro, a few questions

John_Brown_isFaster · February 5, 2017, 3:20am

Hi, I’m new to Bro and I’m wondering how I can do a couple of things:

I’d like to basically disable all of the various rules and detection stuff.
I’d like to create a simple rule that detects say DNS packets with cpsc.gov in the query or answer

Figure it would be best to start simple and then build up rules (either my own, or others) as I need them. Sort of a K&R “Hello World” approach…

Any specifics would be much appreciated.

Thank you

anthony_kasza1 · February 5, 2017, 10:03pm

You may want to look at Bro’s “bare mode”. It starts Bro without many of Bro’s features.

-AK

Topic		Replies	Views
Bro quickstart Zeek	4	63	May 6, 2022
Bro IDS Zeek	2	86	May 6, 2022
First use of Bro Zeek	2	106	May 6, 2022
icmp and bro Zeek	1	74	May 6, 2022
useful *.bro files repository? Zeek	1	50	May 6, 2022