1BRO(8) System Administration Utilities BRO(8)
2
6 bro - passive network traffic analyzer
7
9 bro [options] [file ...]
10
12 Bro is primarily a security monitor that inspects all traffic on a link
13 in depth for signs of suspicious activity. More generally, however, Bro
14 supports a wide range of traffic analysis tasks even outside of the
15 security domain, including performance measurements and helping with
16 trouble-shooting.
17 Bro comes with built-in functionality for a range of analysis and
19 detection tasks, including detecting malware by interfacing to external
20 registries, reporting vulnerable versions of software seen on the net‐
21 work, identifying popular web applications, detecting SSH brute-forc‐
22 ing, validating SSL certificate chains, among others.
23
25 <file> policy file, or read stdin
26 -a, --parse-only
28 exit immediately after parsing scripts
29 -b, --bare-mode
31 don't load scripts from the base/ directory
32 -d, --debug-policy
34 activate policy file debugging
35 -e, --exec <bro code>
37 augment loaded policies by given code
38 -f, --filter <filter>
40 tcpdump filter
41 -g, --dump-config
43 dump current config into .state dir
44 -h, --help|-?
46 command line help
47 -i, --iface <interface>
49 read from given interface
50 -p, --prefix <prefix>
52 add given prefix to policy file resolution
53 -r, --readfile <readfile>
55 read from given tcpdump file
56 -s, --rulefile <rulefile>
58 read rules from given file
59 -t, --tracefile <tracefile>
61 activate execution tracing
62 -w, --writefile <writefile>
64 write to given tcpdump file
65 -v, --version
67 print version and exit
68 -x, --print-state <file.bst>
70 print contents of state file
71 -C, --no-checksums
73 ignore checksums
74 -F, --force-dns
76 force DNS
77 -I, --print-id <ID name>
79 print out given ID
80 -N, --print-plugins
82 print available plugins and exit (-NN for verbose)
83 -P, --prime-dns
85 prime DNS
86 -Q, --time
88 print execution time summary to stderr
89 -R, --replay <events.bst>
91 replay events
92 -S, --debug-rules
94 enable rule debugging
95 -T, --re-level <level>
97 set 'RE_level' for rules
98 -U, --status-file <file>
100 Record process status in file
101 -W, --watchdog
103 activate watchdog timer
104 -X, --broxygen <cfgfile>
106 generate documentation based on config file
107 --pseudo-realtime[=<speedup>]
109 enable pseudo-realtime for performance evaluation (default 1)
110 --load-seeds <file>
112 load seeds from given file
113 --save-seeds <file>
115 save seeds to given file
116 The following option is available only when Bro is built with the
118 --enable-debug configure option:
119 -B, --debug <dbgstreams>
121 Enable debugging output for selected streams ('-B help' for
122 help)
123 The following options are available only when Bro is built with
125 gperftools support (use the --enable-perftools and
126 --enable-perftools-debug configure options):
127 -m, --mem-leaks
129 show leaks
130 -M, --mem-profile
132 record heap
133
135 BROPATH
136 file search path
137 BRO_PLUGIN_PATH
139 plugin search path
140 BRO_PLUGIN_ACTIVATE
142 plugins to always activate
143 BRO_PREFIXES
145 prefix list
146 BRO_DNS_FAKE
148 disable DNS lookups
149 BRO_SEED_FILE
151 file to load seeds from
152 BRO_LOG_SUFFIX
154 ASCII log file extension
155 BRO_PROFILER_FILE
157 Output file for script execution statistics
158 BRO_DISABLE_BROXYGEN
160 Disable Broxygen documentation support
161
163 bro was written by The Bro Project <info@bro.org>.
164bro November 2014 BRO(8)