Usually, rather than running Bro interactively you want it to execute a policy script or a set of policy scripts. You do so by specifying the names of the scripts as command-line arguments, such as:
bro ~/my-policy.bro ~/my-additional-policy.bro
Bro provides several mechanisms for simplifying how you specify which policies to run.
First, if a policy file doesn't exist then it will try again using .bro as a suffix, so the above could be specified as:
bro ~/my-policy ~/my-additional-policy
Second, Bro consults the colon-separated search path to locate policy scripts. If your home directory was listed in $BROPATH, then you could have invoked it above using:
bro my-policy my-additional-policy
Note: If you define $BROPATH, you must include bro-dir/policy, where bro-dir is where you have built or installed Bro, because it has to be able to locate bro-dir/policy/bro.init to initialize itself at run-time.
Third, the @load
directive can be used in a policy script to indicate the
Bro should at that point process another policy script (like C's include
directive; see ). So you could have in my-policy:
@load my-additional-policy
and then just invoke Bro using:
bro my-policy
providing you always want to load my-additional-policy whenever you load my-policy.
Note that the predefined Bro module mt
loads almost
all of the other standard Bro analyzers, so you can pull them in
with simply:
@load mt
or by invoking Bro using “bro mt my-policy”.