Hi Bro List,

I am new to bro and I'm trying to find out if there is an easy / automated way to identify the packets that triggered a notice/alarm. I am focused on offline-analysis. For example can you use a technique to read/write, ex. -r a.pcap -w b.pcap, where a.pcap contains all traffic and b.pcap contains all traffic that triggered an alarm or conversely all traffic that did not trigger an alarm? This would be similar to how snort writes a pcap log of suspect traffic. If this is not possible is there sufficient information in the logs to identify individual packets that triggered an alarm/notice? And are there any bundled tools for faciliating this process? I am focused on http traffic.

Essentialy my goal is to pass large sets of data through bro and segregate the traffic into either clean or suspect subsets. I have done some searching on the wiki but it seems that most of my leads bring me to the "Reference Manual: Missing Documentation" page.

I greatly appreciate any guidance you can provide!

Thanks,
-Rob