Node: Writing New Policy, Next: , Previous: Customizing Builtin Policy, Up: Customizing Bro



Writing New Policy

For example, if your site only allows external http and mail to a small, controlled lists of hosts, you could write a new .bro file containing this:

const web_servers = { www.lbl.gov, www.bro-ids.org, };
const mail_servers = { smtp.lbl.gov, smtp2.lbl.gov, };

redef allow_services_to: set[addr, port] += {
        [mail_servers, smtp],
        [web_servers, http],
};

Bro can then generate an Alarm or even terminate the connection for policy violations. For example:

 if ( service !in allow_services)
    NOTICE([$note=SensitiveConnection, $conn=c,]);
 if ( inbound && service in terminate_successful_inbound_service )
            terminate_connection(c);