[Bro] Hui Lin_what policy is included into Bro by default

Siwek, Jonathan Luke jsiwek at illinois.edu
Mon Feb 13 08:03:17 PST 2012

> For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the "base" one is for basic ssh event while the "policy" one include some detection rules, such as bruteforce attacks.

Yeah, the general idea is that scripts under base/ are mostly for basic state tracking and logging, while ones under policy/ do more advanced/specific things.

> If I want to use them, do I have to include them, or they are already been included by default?

Using bro on the command line, everything in base/ is loaded by default (overridden with the -b option), but nothing in policy/.

The site/local.bro script will load most everything in policy/ and by default that's loaded if you use broctl.


More information about the Bro mailing list