Next: , Previous: Starting Bro Daemon, Up: Running Bro


4.2 Running Bro from the command line

If you use bash for your shell, you do something like this to start Bro by hand:

     cd /usr/local/bro
     . etc/bro.cfg
     ./bro -i eth1 -i eth2 myhost.mysite.org.bro

The '. etc/bro.cfg' should set your $BROHOME and $BROPATH correctly to find all of the needed the files.

Files are loaded is the following order: Bro is invoked with a start file (in the above myhost.mysite.org.bro). In that file (which is in $BROHOME/site) there should be a couple of lines like this at the top:

---------------- myhost.mysite.org.bro ----------------------------
@prefixes = local
@load site      # file generated by the network script for dynamic config
                   # of the local network subnets.

# Make any changes to policy starting here
....
-------------- end  --------------------------------------

The '@load site' will load the local.site.bro file from $BROHOME/site. If you are making changes, you should make them in 'myhost.mysite.bro' file.

Bro can also be run on tcpdump -w files instead of on live traffic. To do this, you must set a BROPATH enviroment variable to point at your set of policy scripts. For example (in csh):

     setenv BROHOME /usr/local/bro
     setenv BROPATH $BROHOME/site:$BROHOME/policy
     bro -r dumpfile brohost

More information on Bro run-time flags and environment variables is available in the Reference Manual.