[Bro] processing all Notices
David Mandelberg
david at mandelberg.org
Tue May 7 10:16:54 PDT 2013
On Fri, 3 May 2013 16:57:53 -0700, Aashish SHARMA <init.conf at gmail.com>
wrote:
> [Not sure if my previous reply went through - resending]
>
> Hello David:
>
> I have a very simple script which counts number of notices per source
and
> generates another notice. The new notice can be escalation to a
different
> action (Action::EMAIL or ACTION::DROP etc).
>
> Consider this version 0.1 but you will get a good idea from this. I
want
> to include another threshold for generating a notice if N distinct
> notice_types per source are seen. Additionally, such heuristics can be
> extended further.
>
> Policy file attached.
>
> Aashish
Thanks!
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
More information about the Bro
mailing list