bro(8) passive network traffic analyzer

SYNOPSIS

bro / [options] [file ...]

DESCRIPTION

Bro is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.

Bro comes with built-in functionality for a range of analysis and detection tasks, including detecting malware by interfacing to external registries, reporting vulnerable versions of software seen on the network, identifying popular web applications, detecting SSH brute-forcing, validating SSL certificate chains, among others.

OPTIONS

<file>
policy file, or read stdin
-a, --parse-only
exit immediately after parsing scripts
-b, --bare-mode
don't load scripts from the base/ directory
-d, --debug-policy
activate policy file debugging
-e, --exec <bro code>
augment loaded policies by given code
-f, --filter <filter>
tcpdump filter
-g, --dump-config
dump current config into .state dir
-h, --help|-?
command line help
-i, --iface <interface>
read from given interface
-p, --prefix <prefix>
add given prefix to policy file resolution
-r, --readfile <readfile>
read from given tcpdump file
-s, --rulefile <rulefile>
read rules from given file
-t, --tracefile <tracefile>
activate execution tracing
-w, --writefile <writefile>
write to given tcpdump file
-v, --version
print version and exit
-x, --print-state <file.bst>
print contents of state file
-z, --analyze <analysis>
run the specified policy file analysis
-C, --no-checksums
ignore checksums
-F, --force-dns
force DNS
-I, --print-id <ID name>
print out given ID
-J, --set-seed <seed>
set the random number seed
-K, --md5-hashkey <hashkey>
set key for MD5-keyed hashing
-N, --print-plugins
print available plugins and exit (-NN for verbose)
-P, --prime-dns
prime DNS
-Q, --time
print execution time summary to stderr
-R, --replay <events.bst>
replay events
-S, --debug-rules
enable rule debugging
-T, --re-level <level>
set 'RE_level' for rules
-U, --status-file <file>
Record process status in file
-W, --watchdog
activate watchdog timer
-X, --broxygen <cfgfile>
generate documentation based on config file
--pseudo-realtime[=<speedup>]
enable pseudo-realtime for performance evaluation (default 1)
--load-seeds <file>
load seeds from given file
--save-seeds <file>
save seeds to given file
The following option is available only when Bro is built with the --enable-debug configure option:
-B, --debug <dbgstreams>
Enable debugging output for selected streams ('-B help' for help)
The following options are available only when Bro is built with gperftools support (use the --enable-perftools and --enable-perftools-debug configure options):
-m, --mem-leaks
show leaks
-M, --mem-profile
record heap

ENVIRONMENT

BROPATH
file search path
BRO_PLUGIN_PATH
plugin search path
BRO_PLUGIN_ACTIVATE
plugins to always activate
BRO_PREFIXES
prefix list
BRO_DNS_FAKE
disable DNS lookups
BRO_SEED_FILE
file to load seeds from
BRO_LOG_SUFFIX
ASCII log file extension
BRO_PROFILER_FILE
Output file for script execution statistics
BRO_DISABLE_BROXYGEN
Disable Broxygen documentation support

AUTHOR

bro was written by The Bro Project <[email protected]>.