Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy.
A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize.
Bro uses policies to determine what activities to classify as hot, or questionable in intent.
These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling rst
to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List).
The policy files use the Bro scripting language, which is discussed in great detail in The Bro Reference Manual.
Policy file are loaded using an @load
command. The semantics of @load
are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts.
The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your site/local.site.bro
policy file.
Bro Analyzers are described in detail in the Reference Manual. These policy files are loaded by default:
site
defines local and neighbor networks from static config alarm
open logging file for alarm events tcp
initialize BPF filter for SYN/FIN/RST TCP packets login
rlogin/telnet analyzer (or to ensure they are disabled) weird
initialize generic mechanism for detecting unusual events conn
access and record connection events hot
defines certain forms of sensitive access frag
process TCP fragments print-resources
on exit, print resource usage information, useful for tuning signatures
the signature policy engine scan
generic scan detection mechanism trw
additional, more sensitive scan detection http
general http analyzer, low level of detail http-request
detailed analysis of http requests http-reply
detailed analysis of http replys ftp
FTP analysis portmapper
record and analyze RPC portmapper requests smtp
record and analyze email traffic tftp
identify and log TFTP sessions worm
flag HTTP-based worm sources such as Code Red software
track software versions; required for some signature matching blaster
looks for blaster worm synflood
looks for synflood attacks stepping
used to detect when someone logs into your site from an external net, and then soon logs into another site reduce-memory
sets shorter timeouts for saving state, thus saving memory. If your Bro is using < 50% of you RAM, try not loading this
These are not loaded by default:
Policy Description Why off by default drop
Include if site has ability to drop hostile remotes Turn on if needed icmp
icmp analysis CPU intensive and low payoff dns
DNS analysis CPU intensive and low payoff ident
ident program analyzer historical, no longer interesting gnutella
looks for hosts running Gnutella Turn this on if you want to know about this ssl
ssl analyzer still experimental ssh-stepping
Detects stepping stones where both incoming and outgoing connections are ssh Possibly too CPU intensive (needs more testing) analy
Performs statistical analysis only used in off-line alalysis backdoor
Looks for backdoors only effective when also capturing bulk traffic passwords
Looks for clear text passwords may want to turn on if your site does not allow clear text passwords file-flush
Causes all log files to be flushed every N seconds may want to turn on if you are doing "real time" analysis
To modify which analyzers are loaded, edit or create a file in BROHOME/site
.
If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer,
add "@unload policy.bro
" to the beginning of the file BROHOME/brohost.bro
, before
the line "@load brolite.bro
". To add additional analyzers, add them @load them
in BROHOME/site/local.site.bro
.