Tuesday, December 19, 2006

Bro-IDS: Enable Full Content Data Logging

To enable Bro-ids full content data logging so that you can perform network forensic, just set it in bro.cfg under bro configuration directory(etc) will do -

BRO_CREATE_TRACE_FILE=YES

You can just disable it by setting it to NO, the pcap file will be stored at the logs directory.

shell>file trace.hostname.06-12-19_00.36.41
trace.hostname.06-12-19_00.36.41: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 8192)

However in future, I think time machine will replace this for full content data logging management.

Enjoy :]

No comments: