[Bro] hook vs. redef
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Nov 13 10:41:50 PST 2013
On Nov 13, 2013, at 9:11 AM, Matt Stucky <mattchess50 at gmail.com> wrote:
> In an older implementation of Bro we had some lines in our site file that would "redef" a notice policy to add criteria to the notice, i.e. if the notice was for a SQL_Injection_Victim AND the resp_h was in a particular subnet, then trigger the notice. I've been testing 2.2 (the upgrade from 2.1 to 2.2 went smoothly) and trying to figure out the best way to duplicate that functionality. It seems it would be done with a hook, but do I have to first add it to ignored_types and then re-raise it? Or am I barking up the wrong tree entirely?
>
> In a general sense I guess I'm asking how best to modify the criteria for an existing notice?
To conditionally ignore notices, you can generally handle a Notice::policy hook at a &priority greater than 10 and “break” from the hook if the notice meets criteria you deem uninteresting. That will abort all the default notice handling for that particular notice.
More documentation on hooks at: http://bro.org/sphinx/scripts/builtins.html#type-hook
- Jon
More information about the Bro
mailing list