When invoking Bro, you can control its behavior using a large number of flags and arguments. Most options can be specified using either a more readable long version (starting with two dashes), or a more compact but sometimes less intuitive short version (single dash followed by a single letter). Arguments can be provided after whitespace (i.e., “-r file.pcap” or “--readfile file.pcap”) and also using an equation mark when the long version is used (i.e., “--readfile=file.pcap”). Single-letter flags without arguments can be combined into a single option element (i.e., “-dWF” is the same as “-d -W -F”).
-d|--debug-policy
-e|--exec <Bro statements>
-f|--filter filter
restrict_filter
, or the default of “tcp or udp” .
-h|--help|-?
-g|--dump-config
state_dir
variable, defined in
bro.init and subject to refinement.
-i|--iface <interface>
Note that if no interfaces are specified, then Bro will not read
any network traffic. It does not have a notion of a “default”
interface from which to read.
-p|--prefix <prefix>
-r|--readfile <readfile>
Note that use of -r
is mutually exclusive with use of -i
.
However, you can use -r
when running scripts that refine
interfaces
, in which case the -r option takes precedence
and Bro performs off-line analysis.
-s|--rulefile <signaturefile>
-t|--tracefile <tracefile>
-w|--writefile <writefile>
http
analyzer),
Bro does not record the contents of HTTP SYN/FIN/RST packets to the trace file.
The reason for this is that HTTP FIN packets often contain a large amount of data, which is not of any interest if you are not using HTTP analysis,
and due to the very high volume of HTTP traffic at many sites, removing this data can significantly reduce the size of the save file. Deficiency: Clearly, this should not be hardwired into Bro but under user control.
Save files written using -w
are of course readable using -r
.
Accordingly, you will generally want to use -w
when running Bro on
live network traffic so you can rerun it off-line later to understand
any problems that arise, and also to experiment with the effects of changes
to the policy scripts.
You can also combine -r
with -w
to both read a save file(s) and
write another. This is of interest when using multiple instances of
-r
, as it provides a way to merge tcpdump
save files.
-v|--version
-x|--print-state <Bro state file>
-z|--analyze <analysis>
-A|--transfile <writefile>
-C|--no-checksums
net_weird
and conn_weird
events (see also Events handled by net_weird,
Events handled by conn_weird, and weird variables). This flag causes
Bro to ignore incorrect checksums.
-D|--dfa-size <size>
-F|--force-dns
The point behind this option is to ensure that Bro starts quickly, rather
than possibly stalling for an indeterminant amount of time resolving a
hostname. Fast startup simplifies checkpointing a running Bro—you can
start up a new Bro and then killing off the old one shortly after.
You'd like this to occur in a manner such that there's no period during
which neither Bro is watching the network (the older because you killed
it off too early, the newer because it's stuck resolving hostnames).
-I|--print-id <name>
-K|--md5-hashkey <hashkey>
Note: This means that by default repeated runs of Bro on identical
inputs do not necessarily yield identical output. If you want
to ensure determinism, use the --save-seeds
and --load-seeds
options.
-L|--rule-benchmark
-O|--optimize
-P|--prime-dns
-S|--debug-rules
-T|--re-level <level>
-W|--watchdog
Bro only activates the watchdog if it is reading live network traffic.
The watchdog consists of a periodic timer that fires every
WATCHDOG_INTERVAL
seconds. (Deficiency:clearly this should be a user-definable value.) At that point, the watchdog checks
to see whether Bro is still working on the same packet as it was the last
time the watchdog expired. If so, then the watchdog logs this fact along
with some information regarding when Bro began processing the current
packet and how many events it processed after handling the packet. Finally,
it prints the packet drop information for the different interfaces Bro
was reading from, and aborts execution.
--save-seeds <file>
-K|--md5-hashkey
, and is intended
to be used with --load-seeds
in future Bro runs.
--save-seeds <file>
--save-seeds
in an earlier Bro invocation.