[Bro] how to add new event to Bro
bchen at cs.ucf.edu
bchen at cs.ucf.edu
Wed Apr 6 14:16:26 PDT 2005
Hi all,
I am new in Bro. I want to add new events to Bro. These events would occur
when some statistical parameters cross multiple sessions to an internal
host/network exceed their thresholds. An example event would be that the number
of connections made from external hosts to an monitored internal host exceeds
100 in last two seconds. Another example event would be that the number of
Rejected connection requests to my internal network exceeds 200 in last two
minutes. Any one knows how to create such events?
Another problem I met when I tried to run Bro (./bro.rc --start) in Fedora 3.
Success message was displayed on the screen. But when I check the status, it is
not running. After I tried to run Bro again, the following error message
appears:
=============================================================================
[root at localhost etc]# ./bro.rc --start
bro.rc: Running as non-root user root
bro.rc: Starting .........Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.3/FAQ
bro.rc: Failed to start Bro
Error in signature (signatures:1803): unknown identifier (dataSizeG100)
Error in signature (signatures:1815): unknown identifier (dataSizeG100)
Error in signature (signatures:1838): unknown identifier (dataSizeG100)
Error in signature (signatures:1850): unknown identifier (dataSizeG100)
...................
.... FAILED
=============================================================================
I then comment out the following statements in my locat site, Bro works
properly.
redef signature_files += "sig-addendum";
redef signature_files += "signatures";
Does anyone know what's this problem?
thanks for your time
Bing
More information about the Bro
mailing list