securityloggingpcapbro

Bro: Log only one stream


My goal is to run a command like bro --iface <interface> and get only the conn.log, but I cannot tell from the Bro docs or manpages how to do this.

Thanks.


Solution

  • This gets you going:

    bro -i <interface> -b base/protocols/conn
    

    With -b you start Bro in "bare mode," meaning it doesn't load the set of standard scripts. One would use this mode to disable everything by default and only selectively enable certain analysis. In general, you can provide an arbitrary list of scripts that ship with the Bro distribution on the command line. In this case, I show it works with the script that generates conn.log.