From 9781eaacffef5bad2ca883355d61b4dce0e59d35 Mon Sep 17 00:00:00 2001
From: kev <vimagick@gmail.com>
Date: Mon, 22 Jun 2015 16:48:30 +0800
Subject: [PATCH] update

---
 bro/README.md          | 13 +++++++++++--
 bro/docker-compose.yml |  2 +-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/bro/README.md b/bro/README.md
index f1cf582..c5980c1 100644
--- a/bro/README.md
+++ b/bro/README.md
@@ -12,9 +12,11 @@ bro:
   command: bro -i eth0
   volumes:
     - ./logs:/opt/bro/logs
-  net: host
+  net: container:shadowsocks_shadowsocks_1
 ```
 
+> We are going to monitor `shadowsocks` which is a socks5 server.
+
 ## up and running
 
 ```
@@ -23,6 +25,13 @@ $ cd ~/fig/bro/
 $ docker-compose up -d
 
 $ docker exec -it bro_bro_1 bash
->>> tail -n +1 -f http.log | bro-cut -d ts user_agent
+>>> cat dns.log | bro-cut query | sort | uniq -c | sort -nr | head -5
+    10 www.youtube.com
+    3 twitter.com
+    2 www.google.com
+    1 www.baidu.com
+    1 www.facebook.com
 >>> exit
 ```
+
+> Don't be evil!
diff --git a/bro/docker-compose.yml b/bro/docker-compose.yml
index e50f57f..ecd2e5b 100644
--- a/bro/docker-compose.yml
+++ b/bro/docker-compose.yml
@@ -3,4 +3,4 @@ bro:
   command: bro -i eth0
   volumes:
     - ./logs:/opt/bro/logs
-  net: host
+  net: container:shadowsocks_shadowsocks_1