Node: Two Types of Triggers, Next: , Up: Analysis of Incidents and Alarms



Two Types of Triggers

There are two ways that alarms can be triggered. One is when network traffic matches a signatures that has been converted to work with Bro. The other way is by matching Bro rules that are embedded in the Bro analyzers.

Converted Signatures

In the Bro report, converted signatures are identified by the alarm type: SensitiveSignature and the existence of a bro identification number. Each signature is distinct, targeting one specific set of network events for each alarm. Currently the majority of converted signatures are developed from Snort© signatures using the snort2bro utility. In addition, enhancing have been made by utilizing features in the Bro policy language that are absent in Snort©. Most Bro signatures are found in the $BROHOME/site/signatures.sig, however, they can exist in other .sig files.

Embedded Bro Rule

Bro rules are typically embedded in the Bro analyzers or other .bro policy files. Several trigger conditions are usually lumped into a grouping of Bro rules within a .bro file, making it difficult to separate the exact condition that triggered the alarm. Hence, alarms triggered by an embedded Bro rule will not have a specific bro identification number, nor will the signature code block appear in the report.

AddressDropped AddressScan BackscatterSeen
ClearToEncrypted_SS CountSignature DNS_MappingChanged
DNS_PTR_Scan FTP_BadPort FTP_ExcessiveFilename
FTP_PrivPort FTP_Sensitive FTP_UnexpectedConn
HTTP_SensitiveURI HotEmailRecipient ICMPAsymPayload
ICMPUnpairedEchoReply ICMPConnectionPair IdentSensitiveID
LoginForbiddenButConfused LocalWorm MultipleSigResponders
MultipleSignatures OutboundTFTP PasswordGuessing
PortScan RemoteWorm ResolverInconsistency
SSH_Overflow SSL_SessConIncon SSL_X509Violation
ScanSummary SensitiveConnection SensitiveDNS_Lookup
SensitivePortmapperAccess SensitiveLogin SensitiveSignature
SensitiveUsernameInPassword SignatureSummary SynFloodEnd
SynFloodStart SynFloodStatus TRWAddressScan
TerminatingConnection W32B_SourceLocal W32B_SourceRemote
ZoneTransfer