Off-line analysis

If so,
I first have to make "my own".bro, and then add the "my own.bro" file to
policy setting in bro.cfg?

What I'm wondering is to set up for general IDS OFF-Line test.
In my thought, it is not easy to test in Off-line in comparison with Snort,
although Bro performance is better than snort. :slight_smile:

I really appreciate if you tell me know more specific method to use Bro in
off-line test.

Best Regards,

> When I try to off-line analysis with -r option, how can I use all Bro
> rules?

The notion of "all Bro rules" is not that well defined. There are a


number (100+) of policy files in policy/*.bro, some of which are


with others (for example, print-filter.bro prints the BPF filter being


and then exits).

That said, here's what we use when to run against our internal test