base/files/unified2/main.bro

Unified2

Namespace:Unified2 Imports:base/utils/dir.bro, base/utils/paths.bro Source File:/scripts/base/files/unified2/main.bro

Summary

Redefinable Options

Unified2::classification_config: string &redef	The classification.config file you would like to use for your alerts.
Unified2::gen_msg: string &redef	The gen-msg.map file you would like to use for your alerts.
Unified2::sid_msg: string &redef	The sid-msg.map file you would like to use for your alerts.
Unified2::watch_dir: string &redef	Directory to watch for Unified2 records.
Unified2::watch_file: string &redef	File to watch for Unified2 files.

Types

Unified2::Info: record &log
Unified2::PacketID: record &log

Redefinitions

Log::ID: enum
fa_file: record &redef

Events

Unified2::alert: event	Reconstructed “alert” which combines related events and packets.
Unified2::log_unified2: event	The event for accessing logged records.

Detailed Interface

Redefinable Options

Unified2::classification_config

Type:string Attributes:&redef Default:""

The classification.config file you would like to use for your alerts.

Unified2::gen_msg

Type:string Attributes:&redef Default:""

The gen-msg.map file you would like to use for your alerts.

Unified2::sid_msg

Type:string Attributes:&redef Default:""

The sid-msg.map file you would like to use for your alerts.

Unified2::watch_dir

Type:string Attributes:&redef Default:""

Directory to watch for Unified2 records.

Unified2::watch_file

Type:string Attributes:&redef Default:""

File to watch for Unified2 files.

Types

Unified2::Info

Type:

record

ts: time &log

Timestamp attached to the alert.

id: Unified2::PacketID &log

Addresses and ports for the connection.

sensor_id: count &log

Sensor that originated this event.

signature_id: count &log

Sig id for this generator.

signature: string &optional &log

A string representation of the signature_id field if a sid_msg.map file was loaded.

generator_id: count &log

Which generator generated the alert?

generator: string &optional &log

A string representation of the generator_id field if a gen_msg.map file was loaded.

signature_revision: count &log

Sig revision for this id.

classification_id: count &log

Event classification.

classification: string &optional &log

Descriptive classification string.

priority_id: count &log

Event priority.

event_id: count &log

Event ID.

packet: string &optional &log

Some of the packet data.

Attributes:

&log

Unified2::PacketID

Type:

record

src_ip: addr &log

src_p: port &log

dst_ip: addr &log

dst_p: port &log

Attributes:

&log

Events

Unified2::alert

Type:event (f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet)

Reconstructed “alert” which combines related events and packets.

Unified2::log_unified2

Type:event (rec: Unified2::Info)

The event for accessing logged records.