[Bro] hook vs. redef
Matt Stucky
mattchess50 at gmail.com
Wed Nov 13 07:11:49 PST 2013
In an older implementation of Bro we had some lines in our site file that
would "redef" a notice policy to add criteria to the notice, i.e. if the
notice was for a SQL_Injection_Victim AND the resp_h was in a particular
subnet, then trigger the notice. I've been testing 2.2 (the upgrade from
2.1 to 2.2 went smoothly) and trying to figure out the best way to
duplicate that functionality. It seems it would be done with a hook, but
do I have to first add it to ignored_types and then re-raise it? Or am I
barking up the wrong tree entirely?
In a general sense I guess I'm asking how best to modify the criteria for
an existing notice?
Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131113/d25116a3/attachment.html
More information about the Bro
mailing list