Node: Off-line Analysis, Previous: Bulk Traces, Up: Bulk Traces and Off-line Analysis



Off-line Analysis

There are some policy modules that are meant to be run as off-line analysis on bulk trace files. These include:

backdoor.bro: looks for standard services running on non-standard ports. These services include ssh, http, ftp, telnet, and rlogin.

To run Bro on a tcpdump file, do something like this:

     # set up the Bro environment (sh or bash)
     . /usr/local/bro/etc/bro.cfg
     /usr/local/bro/bin/bro -r dumpfile backdoor.bro
     

To use Bro to extract the contents of a trace file, do:

         bro -r tracefile contents
     

which will load policy/contents.bro. It stores the contents of each connection in two files, contents.H1.P1.H2.P2 and contents.H2.P2.H1.P1, where H1/P1 is the host/port of the originator and H2/P2 the same for the responder.

You can extract just the connections of interest using, for example:

         bro -f "host 1.2.3.4" -r tracefile contents