Signature matching is off by default. To use a small set of known, high quality signatures, add the following to your site policy file:
@load brolite-sigs
To use the full set of converted snort signatures, add both of these lines:
@load brolite-sigs redef signature_files += "signatures";
If signatures are turned on, then you can control the
signature "action" levels through the file
$BROHOME/site/sigaction.bro
.
You can set the signature action to the one of the following:
SIG_IGNORE # ignore this sig. completely SIG_FILE # write to signatures and notice files SIG_ALARM # alarm and write to notice and alarm files SIG_ALARM_PER_ORIG # alarm once per originator SIG_ALARM_ONCE # alarm once and then never again
All signatures default to action = SIG_ALARM
. To lower the alarm level of the signature,
add an entry to the file $BROHOME/site/sigaction.bro
. The Bro distribution
contains a default sigaction.bro file that lowers the level of a number of signatures from ALARM
to FILE (notice) .
To permanently remove a signature you can delete it from the .sig
file.