Node: Other Customizations, Previous: Tuning Scan Detection, Up: Customizing Bro



Other Customizations

There are a number of things you may wish to customize.

hot_ids

The policy file hot-ids.bro contains a number of constants that you might want to customize by "redef"ing them in your local.site.bro policy file. These are all used to generate FTP and login alarms (SensitiveConnection Notice) for suspicious users. The user ID's that are in hot_ids and not in always_hot_ids are only hot upon successful login. For details see the Bro Reference Manual.

constant Defaults
forbidden_ids "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb" "r00t", "ruut", "bomb", "backdoor", "bionic", "warhead", "check_mate", "checkmate", "check_made", "themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack"
always_hot_ids "lp", "demos", "retro", "milk", "moof", "own", "gdm", "anacnd", + forbidden_ids above
hot_ids "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag", "sync", "tutor", "tour", "operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper", + always_hot_ids

Input/Output Strings

The policy files login.bro and ftp.bro both contain a list of input and output strings that indicate suspicious activity. In you wish to add anything to this list, you may want to redef one of these.

     login.bro: see input_trouble and output_trouble
     ftp.bro: see ftp_hot_files
     

Sensitive URIs

The policy file http-request.bro contain a list of http URI's that indicate suspicious activity. In you wish to add anything to this list, you may want to redef one of these.

     sensitive_URIs
     sensitive_post_URIs
     

Other

redef this to rotate the log files every N seconds

     log_rotate_interval (default = 0 sec, don't rotate)
     

redef this to rotate the log files when they get this big

     log_max_size (default = 250e6, rotate when any file exceeds 250 MB)