Node: Policy Files, Next: , Up: Customizing Bro



Policy Files

Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy. A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize. Bro uses policies to determine what activities to classify as hot, or questionable in intent. These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling rst to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). The policy files use the Bro scripting language, which is discussed in great detail in The Bro Reference Manual.

Policy file are loaded using an @load command. The semantics of @load are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts. The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your site/local.site.bro policy file.

Bro Analyzers are described in detail in the Reference Manual. These policy files are loaded by default:

site defines local and neighbor networks from static config
alarm open logging file for alarm events
tcp initialize BPF filter for SYN/FIN/RST TCP packets
login rlogin/telnet analyzer (or to ensure they are disabled)
weird initialize generic mechanism for detecting unusual events
conn access and record connection events
hot defines certain forms of sensitive access
frag process TCP fragments
print-resources on exit, print resource usage information, useful for tuning
signatures the signature policy engine
scan generic scan detection mechanism
trw additional, more sensitive scan detection
http general http analyzer, low level of detail
http-request detailed analysis of http requests
http-reply detailed analysis of http replys
ftp FTP analysis
portmapper record and analyze RPC portmapper requests
smtp record and analyze email traffic
tftp identify and log TFTP sessions
worm flag HTTP-based worm sources such as Code Red
software track software versions; required for some signature matching
blaster looks for blaster worm
synflood looks for synflood attacks
stepping used to detect when someone logs into your site from an external net, and then soon logs into another site
reduce-memory sets shorter timeouts for saving state, thus saving memory. If your Bro is using < 50% of you RAM, try not loading this

These are not loaded by default:

Policy Description Why off by default
drop Include if site has ability to drop hostile remotes Turn on if needed
icmp icmp analysis CPU intensive and low payoff
dns DNS analysis CPU intensive and low payoff
ident ident program analyzer historical, no longer interesting
gnutella looks for hosts running Gnutella Turn this on if you want to know about this
ssl ssl analyzer still experimental
ssh-stepping Detects stepping stones where both incoming and outgoing connections are ssh Possibly too CPU intensive (needs more testing)
analy Performs statistical analysis only used in off-line alalysis
backdoor Looks for backdoors only effective when also capturing bulk traffic
passwords Looks for clear text passwords may want to turn on if your site does not allow clear text passwords
file-flush Causes all log files to be flushed every N seconds may want to turn on if you are doing "real time" analysis

To modify which analyzers are loaded, edit or create a file in BROHOME/site. If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer, add "@unload policy.bro" to the beginning of the file BROHOME/brohost.bro, before the line "@load brolite.bro". To add additional analyzers, add them @load them in BROHOME/site/local.site.bro.