[Bro] Hui Lin_what policy is included into Bro by default
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Feb 13 08:03:17 PST 2012
> For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the "base" one is for basic ssh event while the "policy" one include some detection rules, such as bruteforce attacks.
Yeah, the general idea is that scripts under base/ are mostly for basic state tracking and logging, while ones under policy/ do more advanced/specific things.
> If I want to use them, do I have to include them, or they are already been included by default?
Using bro on the command line, everything in base/ is loaded by default (overridden with the -b option), but nothing in policy/.
The site/local.bro script will load most everything in policy/ and by default that's loaded if you use broctl.
More information about the Bro