Off-line analysis

When I try to off-line analysis with -r option, how can I use all Bro
rules?

The notion of "all Bro rules" is not that well defined. There are a large
number (100+) of policy files in policy/*.bro, some of which are incompatible
with others (for example, print-filter.bro prints the BPF filter being used
and then exits).

That said, here's what we use when to run against our internal test suite:

  @load site
  @load mt
  @load tftp
  @load dns
  @load flag-irc
  @load smtp-relay
  @load software
  @load ssh
  @load worm
  @load backdoor.bro
  @load blaster.bro
  @load flag-warez.bro
  @load gnutella.bro
  @load http-abstract.bro
  @load http-body.bro
  @load http-reply.bro
  @load icmp.bro
  @load ssl-worm.bro
  @load stepping.bro
  @load synflood.bro

This winds up loading a whole lot of the analysis.

    Vern

When I try to off-line analysis with -r option, how can I use all Bro
rules?

I'm taking at stab at this since I've been wrestling with a very similar
situation for a class. Anyway, if by rules you mean snort type signatures
you can do one of the following:

a. on the command line via -s rulefilename

b. in a policy script using the "signature_files" variable. i'm been doing
the following:

  redef signature_files += "snort-default.sig";
  redef signature_files += "worm.sig";

In addition I threw in an event to dump some info out.

event bro_init()
{
  print fmt("-- signature_files = [%s]", signature_files);

  # the http_servers is readable but by no means pretty.
  print fmt("-- http_servers = [%s]", http_servers);
}

Note: I'm no expert but I believe http_servers is signficant for a number of
the snort signatures.

For what its worth, I've been attempting to compare snort vs bro for a class
(perhaps like you are) and evidently I'm doing something wrong since I get
dozens of unique alerts (or alarms) in snort, but only 3 unique ones in bro.
I'm sure it is a configuration problem but if anyone wants to volunteer any
suggestions it would be appreciated.

thanks.

john