[Bro] Faster Bro Summary of Alerts
Josh Liburdi
liburdi.joshua at gmail.com
Mon May 19 05:40:32 PDT 2014
Add this field to any notice interval you'd like to change:
$suppress_for=
By default notices are suppressed for one hour, but it can be overridden
with the line above. In practice that would look like ...
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d
connections).", key$host, r$num),
$src=key$host,
$suppress_for=5mins,
$identifier=cat(key$host)]);
-Josh
On Sat, May 17, 2014 at 10:46 AM, Chris Lowson <lowson.chris at gmail.com>wrote:
> Hello Everyone,
>
> New to bro so please bare with me, but i can't seem to find my answer
> online.
>
> Can anyone tell me / point me in the direction to setup bro to have the
> alert notices come in every 5-10 mins and not hourly?
>
> I don't want to connection summary every 5 mins, that can stay every hour,
> I just want to see the SSH password guessing faster.
>
> --
> Thanks,
> Christopher Lowson
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/258c0d35/attachment.html
More information about the Bro
mailing list