Standard Bro checks on tcpdump files.What that really means?

When we do a : bro -r dumpfile ,on a previously recorded dump file what are the standard checks Bro really executes? ALL that come defined within the Bro scripts directory ( export BROPATH=/…)? Backdoor.bro,etc.etc.? Or just A PART of it?


When running bro -r dumpfile ; you have to specify a policy file or a set of policy files which are used to process the dumpfile.

The most default option is to use local.bro (found in <your_bro_install>/share/bro/site/ folder.

So this becomes: bro -r dumpfile local.bro

Once successful, looking in the log directory for a file called loaded_scripts.log. This log will list the policy files which were used for this specific bro run and analysis.

(if you are running bro as a daemon after doing broctl start, then you can use broctl scripts all to get a listing of loaded_policies as well)