Node: Customizing Builtin Policy, Next: Writing New Policy, Previous: Notice Actions, Up: Customizing Bro
The default policy scripts for Bro are all in $BROHOME/policy. Remember that
these files should never be
edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
should make all your changes in $BROHOME/site. Many simple changes just require you
to redefine (using the redef
operator,
a Bro constant from a standard policy script with your own custom value. You can
also write your own custom script to do whatever you want.
Here are some example of the types of things you may want to customize.
To add "guest" to the list of forbidden_ids (user names that generate a login alarm), you do this:
redef forbidden_ids += { "guest", };
To add a new rootkit string to HTTP sensitive_URIs:
redef HTTP::sensitive_URIs += /^.*rootdown.pl.*$/;