[Bro] Hui Lin_what policy is included into Bro by default

Seth Hall seth at icir.org
Mon Feb 13 08:16:23 PST 2012

On Feb 13, 2012, at 10:10 AM, Hui Lin (Hugo) wrote:

> Now, I am wondering what logs under which bro installation directories are enabled by default. I am little confused on the Bro 2.0 policy script hierarchy (so perhaps we should include this description in the documentation?)

Yes, that's something that we still need to document very clearly.  Fortunately there is a clear answer!

> For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the "base" one is for basic ssh event while the "policy" one include some detection rules, such as bruteforce attacks.

Script in base/protocols (the "base scripts") take care of a lot of the legwork of enabling and configuring the core analyzers.  They also create one or more log files to log something about the protocol and they create and populate the connection record extensions like c$ssl, c$http, s$smtp.  There is still a bit of detection being done in a few of the base scripts, but over time we will pull the rest of that out into the scripts in the policy/ directory.  The best way to think of what they do is provide very basic non-detection oriented functionality.

You had the basic idea right. :)

>   If I want to use them, do I have to include them, or they are already been included by default?

Every single script in base/ is included by default (but you can even turn those off if you are really interested in it).


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list