There are two ways that alarms can be triggered. One is when network traffic matches a signatures that has been converted to work with Bro. The other way is by matching Bro rules that are embedded in the Bro analyzers.
In the Bro report, converted signatures are identified by the alarm type: SensitiveSignature
and the existence of a bro
identification number. Each signature is distinct, targeting one specific set of network events for each alarm. Currently the majority of converted signatures are developed from Snort© signatures using the snort2bro
utility. In addition, enhancing have been made by utilizing features in the Bro policy language that are absent in Snort©. Most Bro signatures are found in the $BROHOME/site/signatures.sig
, however, they can exist in other .sig
files.
Bro rules are typically embedded in the Bro analyzers or other .bro
policy files.
Several trigger conditions are usually lumped into a grouping of Bro rules within a .bro
file, making it difficult to separate the exact condition that triggered the alarm. Hence, alarms triggered by an embedded Bro rule will not have a specific bro
identification number, nor will the signature code block appear in the report.
AddressDropped AddressScan BackscatterSeen ClearToEncrypted_SS CountSignature DNS_MappingChanged DNS_PTR_Scan FTP_BadPort FTP_ExcessiveFilename FTP_PrivPort FTP_Sensitive FTP_UnexpectedConn HTTP_SensitiveURI HotEmailRecipient ICMPAsymPayload ICMPUnpairedEchoReply ICMPConnectionPair IdentSensitiveID LoginForbiddenButConfused LocalWorm MultipleSigResponders MultipleSignatures OutboundTFTP PasswordGuessing PortScan RemoteWorm ResolverInconsistency SSH_Overflow SSL_SessConIncon SSL_X509Violation ScanSummary SensitiveConnection SensitiveDNS_Lookup SensitivePortmapperAccess SensitiveLogin SensitiveSignature SensitiveUsernameInPassword SignatureSummary SynFloodEnd SynFloodStart SynFloodStatus TRWAddressScan TerminatingConnection W32B_SourceLocal W32B_SourceRemote ZoneTransfer