how to realize alert in real time
vern at icir.org
Fri Jun 21 23:39:40 PDT 2002
> According to some literature, "bro can make intrusion announcement in
> real time", but when I try to run bro, I don't find how to realize this
> function, I only can create some logfiles.
The "log" statement logs a string via syslog().
The system() function invokes an arbitrary shell command.
> And, if it do this as said,
> what is the form of alert?
Just a string. Recently, Umesh Shankar has added a framework of "attributes",
i.e., additional information associated with values, and the main impetus
behind this has been to add structure to Bro alerts, since that's really
needed so they can be better filtered/post-processed/etc. It will be in
the next major release of Bro, which I'm aiming to have out in August.
More information about the Bro