Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time


BroCI is a system that you can use to both test and profile Bro scripts before deployment. You can see the sample-repo for an example of how a repository would be configured to work with BroCI.

To start BroCI

(Right now only works with bro running on same device as webserver, traffic generator, and MongoDB)

  1. Start up Mongod
  2. Run
    • This will start up bro, collect some stats, and start putting them in DB.
    • For now, let it start seeding the DB for about 10 seconds before starting server.
  3. Start server/
    • It will start listening for connections on port 80.

Running Bro CI

  1. Create a test git repo to perform CI on.
    • It should have a /scripts directory for scripts that we are going to be testing.
  2. Put it into the field on the BroCI homepage and click "Send"
    • The page will pull the git repo and load the proper scripts into bro.
  3. Click "Run Tests"
    • This will run tcpreplay on all of the files and collect our results.
  4. You can view the results in finer detail by slecting the time ranges. If you select and invalid timerange the graphs won't show anything.

Misc Bro Notes

  • Run install on broctl after it's been freshly installed.
  • Change loaded scripts in local.bro


  • Tcpreplay sample command on n0: sudo tcpreplay --topspeed --loop=0 --intf1=eth2 c1_final.pcap
  • Convert file to be transmitted fron n0: tcprewrite --dstipmap= --enet-dmac=00:04:23:b7:41:f0 --srcipmap= --enet-smac=00:04:23:a8:da:62 --fixcsum --infile=browse.pcap --outfile=temp1.pcap


  • Logs: /usr/local/bro/logs
  • Local.bro and other scripts to be used by broctl are stored in: /usr/local/bro/share/bro/site
  • Store actual broscript ref'd by local.bro in: /usr/local/bro/share/bro/policy/misc
  • Change node config in: /usr/local/bro/etc/


The profiler module (profiler.bro) is stored in /usr/local/bro/share/bro/site. There should be an entry in local.bro for it with the line @load profiler.bro.

A log file only appears when someone calls it with the log_event(name) function.