To enable Bro-ids full content data logging so that you can perform network forensic, just set it in bro.cfg under bro configuration directory(etc) will do -
BRO_CREATE_TRACE_FILE=YES
You can just disable it by setting it to NO, the pcap file will be stored at the logs directory.
shell>file trace.hostname.06-12-19_00.36.41
trace.hostname.06-12-19_00.36.41: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 8192)
However in future, I think time machine will replace this for full content data logging management.
Enjoy :]
Enjoy :]
No comments:
Post a Comment