Node: Writing New Policy, Next: Signatures, Previous: Customizing Builtin Policy, Up: Customizing Bro
For example, if your site only allows external http and mail to a small, controlled lists of hosts, you could write a new .bro file containing this:
const web_servers = { www.lbl.gov, www.bro-ids.org, }; const mail_servers = { smtp.lbl.gov, smtp2.lbl.gov, }; redef allow_services_to: set[addr, port] += { [mail_servers, smtp], [web_servers, http], };
Bro can then generate an Alarm or even terminate the connection for policy violations. For example:
if ( service !in allow_services) NOTICE([$note=SensitiveConnection, $conn=c,]); if ( inbound && service in terminate_successful_inbound_service ) terminate_connection(c);