[Bro] How to generate the alerts directly?

Vern Paxson vern at icir.org
Sun Sep 19 22:50:35 PDT 2004


>     # ./bro -r  /home/zhangwei/bro0907.dump
>     generate the "alerts" as following:
>     1094539834.607852 weird: spontaneous_FIN
> 1094539847.830742 weird: possible_split_routing

These are not "alerts" but rather "weird"'s - that is, messages that
reflect unusual/broken activity.

> First,are the terms which i use right,such as "event" ,"alerts"?

Per the above, those are "weird"'s.  Perhaps there's a better name to use;
in the future, they might be merged with the "NOTICE" framework (which
is called ALERT in the present release, but this changes with the next
release).

> Second,whether can I generate those alerts directly?
>         If can,which command should i use? Or how to modify the source code? 

I don't know what you mean by "directly" here.

If you mean in your policy script, you do so by calling ALERT().

		Vern



More information about the Bro mailing list