[Bro] Alarms in log vs alarms in report

François Gagnon frgag272 at ift.ulaval.ca
Tue Mar 21 19:43:53 PST 2006


I have noticed that Bro can provide the user with a fine grained classification
of alarms in the reports (likely unsuccessful, likely successful, ...).
However, in the log, Bro provides me with a less specific classification (alarm
vs no alarm) with no indication of the potential success (or failure) of the
attack. I think that the events in the log correspond to likely successful
attacks only (correct me if I am wrong).

I am wondering if there is any way to get Bro to output all events in the log
WITH their classification (likely successful, likely unsuccessful, ...) or if
this feature is reserved specifically for reports ?

Thank you very much!

François Gagnon

More information about the Bro mailing list