Next: , Previous: Using Bro interactively, Up: Running Bro



2.1.3 Specifying policy scripts

Usually, rather than running Bro interactively you want it to execute a policy script or a set of policy scripts. You do so by specifying the names of the scripts as command-line arguments, such as:

         bro ~/my-policy.bro ~/my-additional-policy.bro

Bro provides several mechanisms for simplifying how you specify which policies to run.

First, if a policy file doesn't exist then it will try again using .bro as a suffix, so the above could be specified as:

         bro ~/my-policy ~/my-additional-policy

Second, Bro consults the colon-separated search path to locate policy scripts. If your home directory was listed in $BROPATH, then you could have invoked it above using:

         bro my-policy my-additional-policy

Note: If you define $BROPATH, you must include bro-dir/policy, where bro-dir is where you have built or installed Bro, because it has to be able to locate bro-dir/policy/bro.init to initialize itself at run-time.

Third, the @load directive can be used in a policy script to indicate the Bro should at that point process another policy script (like C's include directive; see ). So you could have in my-policy:

         @load my-additional-policy

and then just invoke Bro using:

         bro my-policy

providing you always want to load my-additional-policy whenever you load my-policy.

Note that the predefined Bro module mt loads almost all of the other standard Bro analyzers, so you can pull them in with simply:

         @load mt

or by invoking Bro using “bro mt my-policy”.