[Bro] doubt regarding notice alarm always
Robin Sommer
robin at icir.org
Wed Nov 14 17:09:51 PST 2007
On Wed, Nov 14, 2007 at 10:40 -0500, kanthi myneni wrote:
> 1. On what based it is logged as notice alarm always.
NOTICE_ALARM_ALWAYS is the default if you don't define anything
else. You can change what an alert is mapped to by defining a
notice_policy; see notice-policy.bro for examples.
> 2. I think t stand for time... can I know in what format it is logged.
It's seconds since Jan 1 1970. Bro comes with a tool in aux/cf which
converts them into human-readable:
> echo "1195051259.323269" | ./cf
Nov 14 06:40:59
> 3. msg=157.182.235.186\ ->\ 157.182.235.207\ %232: in this message
> what is %232. Is that is session id.
Correct.
> 4. I am getting as 2 different url like url=/icons/folder.gif and
> url=/icons/blank.gif why is it logging so.
Seems that both match HTTP::sensitive_URIs. Have you changed the
default for that?
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list