[Bro] How to generate the alerts directly?
Vern Paxson
vern at icir.org
Sun Sep 19 22:50:35 PDT 2004
> # ./bro -r /home/zhangwei/bro0907.dump
> generate the "alerts" as following:
> 1094539834.607852 weird: spontaneous_FIN
> 1094539847.830742 weird: possible_split_routing
These are not "alerts" but rather "weird"'s - that is, messages that
reflect unusual/broken activity.
> First,are the terms which i use right,such as "event" ,"alerts"?
Per the above, those are "weird"'s. Perhaps there's a better name to use;
in the future, they might be merged with the "NOTICE" framework (which
is called ALERT in the present release, but this changes with the next
release).
> Second,whether can I generate those alerts directly?
> If can,which command should i use? Or how to modify the source code?
I don't know what you mean by "directly" here.
If you mean in your policy script, you do so by calling ALERT().
Vern
More information about the Bro
mailing list