Next: , Up: Signatures



6.4.1 Turning Signatures ON/OFF

Signature "action" levels are controlled by the file $BROHOME/site/sigaction.bro. You can set the signature action to the one of the following:

    SIG_IGNORE          # ignore this sig. completely 
    SIG_FILE            # write to signatures and notice files
    SIG_ALARM           # alarm and write to notice and alarm files
    SIG_ALARM_PER_ORIG  # alarm once per originator
    SIG_ALARM_ONCE      # alarm once and then never again

All signatures default to action = SIG_ALARM. To lower the alarm level of the signature, add an entry to the file $BROHOME/site/sigaction.bro. The Bro distribution contains a default sigaction.bro file that lowers the level of a number of signatures from ALARM to FILE (notice) .

To permanently remove a signature you can delete it from the .sig file.