Bro is used to provide network protocol analysis within ROCK. It is extremely customizable, and it is encouraged that you take advantage of this.
When deploying custom Bro scripts, please be sure to store them under a
/usr/share/bro/site/scripts/. We can't guarantee that your
customizations won't be overwritten by Ansible if you don't follow this pattern.
Bro is deployed as a systemd unit, called bro. Normal systemd procedures apply here:
sudo systemctl start bro sudo systemctl status bro sudo systemctl stop bro sudo systemctl restart bro
broctl command is now an alias. Using this alias prevents dangerous
permission changes caused by running the real broctl binary with sudo. The only
safe way otherwise to run
broctl is to execute it as the
bro user and
group as such:
sudo -u bro -g bro /usr/bin/broctl
- Application Logs