Next: Customizing Builtin Policy, Previous: Notices, Up: Customizing Bro
Notices that are deemed particularly important are called Alarms. Alarms are sent to the alarm log file, and to optionally to syslog.
The standard Bro distribution supports a number of types of notice actions, these are:
NOTICE_IGNORE
do nothing NOTICE_FILE
send to 'notice' file NOTICE_ALARM_ALWAYS
send to alarm file and syslog NOTICE_ALARM_PER_CONN
send to alarm file once per connection NOTICE_EMAIL
send to alarm file and send email NOTICE_PAGE
send to alarm file and send to pager
It is also possible to define your own custom notice actions.
By default, all notices are set to NOTICE_ALARM_ALWAYS except for the following:
ContentGap, AckAboveHole, AddressDropIgnored, PacketsDropped, RetransmissionInconsistency
By default all Alarms are also sent to syslog. To disable this, add:
redef enable_syslog = F;
To change the default notice action for a given notice, add something like this to your site/brohost.bro file:
redef notice_action_filters += { [[WeirdActivity, ContentGap]] = ignore_notice, };
This will cause the Notices WeirdActivity
and ContentGap
to no longer get logged anywhere.
To send these Notices to the Notice log file only, and not to the Alarm log, add this:
redef notice_action_filters += { [[WeirdActivity, ContentGap]] = file_notice, };
For NOTICE_EMAIL and NOTICE_PAGE, email is sent using the script specified by the mail_script variable (default: "mail_notice.sh"), which must be in $PATH. To activate this, $mail_dest must be set. Email is only sent if Bro is reading live traffic.
For example, to send email on TerminatingConnection and FTP_Sensitive notices, add something like this:
redef mail_dest = "youremail@yoursite.edu"; redef notice_action_filters += { [[TerminatingConnection, FTP::FTP_Sensitive]] = send_email_notice, };