Hi Bro List,
I am new to bro and I'm trying to find out if there is an easy / automated
way to identify the packets that triggered a notice/alarm. I am focused on
offline-analysis. For example can you use a technique to read/write, ex. -r
a.pcap -w b.pcap, where a.pcap contains all traffic and b.pcap contains all
traffic that triggered an alarm or conversely all traffic that did not
trigger an alarm? This would be similar to how snort writes a pcap log of
suspect traffic. If this is not possible is there sufficient information in
the logs to identify individual packets that triggered an alarm/notice? And
are there any bundled tools for faciliating this process? I am focused on
Essentialy my goal is to pass large sets of data through bro and segregate
the traffic into either clean or suspect subsets. I have done some searching
on the wiki but it seems that most of my leads bring me to the "Reference
Manual: Missing Documentation" page.
I greatly appreciate any guidance you can provide!