Thanks for your kind explanation.
Anyhow, what I really want to know is to do some ID attack ananlsys using
If you have experienced such things with Bro, please let me know.
I get some tcpdump raw file, but it is not easy to handle Bro for offline
> When I try to off-line analysis with -r option, how can I use all Bro
I'm taking at stab at this since I've been wrestling with a very similar
situation for a class. Anyway, if by rules you mean snort type
you can do one of the following:
a. on the command line via -s rulefilename
b. in a policy script using the "signature_files" variable. i'm been
redef signature_files += "snort-default.sig";
redef signature_files += "worm.sig";
In addition I threw in an event to dump some info out.
print fmt("-- signature_files = [%s]", signature_files);
# the http_servers is readable but by no means pretty.
print fmt("-- http_servers = [%s]", http_servers);
Note: I'm no expert but I believe http_servers is signficant for a number
the snort signatures.
For what its worth, I've been attempting to compare snort vs bro for a
(perhaps like you are) and evidently I'm doing something wrong since I
dozens of unique alerts (or alarms) in snort, but only 3 unique ones in
I'm sure it is a configuration problem but if anyone wants to volunteer