I first have to make "my own".bro, and then add the "my own.bro" file to
policy setting in bro.cfg?
What I'm wondering is to set up for general IDS OFF-Line test.
In my thought, it is not easy to test in Off-line in comparison with Snort,
although Bro performance is better than snort.
I really appreciate if you tell me know more specific method to use Bro in
> When I try to off-line analysis with -r option, how can I use all Bro
The notion of "all Bro rules" is not that well defined. There are a
number (100+) of policy files in policy/*.bro, some of which are
with others (for example, print-filter.bro prints the BPF filter being
and then exits).
That said, here's what we use when to run against our internal test