[Bro] Alarms in 2.0

Justin Azoff JAzoff at albany.edu
Wed Apr 11 14:47:38 PDT 2012


On Wed, Apr 11, 2012 at 03:29:28PM -0600, Tyler T. Schoenke wrote:
> Two questions regarding Alarms in 2.0.
> 
> First, I created a signature and wanted to reduce the frequency that it
> fires.  Does anyone have sample code for SIG_ALARM_PER_ORIG or some
> other way to send out a single alarm per source IP?

It looks like you are supposed to do something like

redef Signatures::actions += [ ["sig_id"] = SIG_ALARM_PER_ORIG ];


-- 
-- Justin Azoff
-- Network Security & Performance Analyst



More information about the Bro mailing list