Node: Customizing Bro, Next: Intrusion Prevention Using Bro, Previous: Analysis of Incidents and Alarms, Up: Top
NOTE: This chapter still a rough draft and incomplete
Bro is very customizable, and there are several ways to modify Bro to suit your environment. You can write your own policy analyzers using the Bro language. Most sites will likely just want to do minor customizations, such as changing the level of an alert from "notice" to "alarm", or turning on or off particular analyzers. The chapter describes how to do these types of customizations. Information on how to write your own analyzers can be found in the Bro Reference Manual.
The default policy scripts for Bro are all in $BROHOME/policy. These files should never be
edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you
should make all your changes in $BROHOME/site. Many simple changes just require you
to redefine (using the redef
operator,
a Bro constant from a standard policy script with your own custom value. You can
also write your own custom script to do whatever you want.
For example, to add "guest" to the list of forbidden_ids (user names that generate a login alarm), you do this:
redef forbidden_ids += { "guest", };
In this chapter we give an overview of all the standard Bro policy scripts, what notices they generate, and how to customize the most commonly changed items.