The primary output facility in Bro is called a Notice. The Bro distribution includes a number of standard of Notices, listed below. The table contains the name of the Notice, what Bro policy file generates it, and a short description of what the Notice is about.
Notice Policy Description AckAboveHole
weird Could mean packet drop; could also be a faulty TCP implementation AddressDropIgnored
scan A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can_drop_connectivity, or never_shut_down, or never_drop_nets ) AddressDropped
scan Connectivity w/ given address has been dropped AddressScan
scan The source has scanned a number of addrs BackscatterSeen
scan Apparent flooding backscatter seen from source ClearToEncrypted_SS
stepping A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping. ContentGap
weird Data has sequence hole; perhaps due to filtering CountSignature
signatures Signature has triggered multiple times for a destination DNS_MappingChanged
DNS Some sort of change WRT previous Bro lookup DNS_PTR_Scan
dns Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded) DroppedPackets
netstats Number of packets dropped as reported by the packet filter FTP_BadPort
ftp Bad format in PORT/PASV; FTP_ExcessiveFilename
ftp Very long filename seen FTP_PrivPort
ftp Privileged port used in PORT/PASV FTP_Sensitive
ftp Sensitive connection (as defined in hot) FTP_UnexpectedConn
ftp FTP data transfer from unexpected src HTTP_SensitiveURI
http Sensitive URI in GET/POST/HEAD (default sensitive URIs defined http-request.bro; e.g.: /etc.*\/.*(passwd|shadow|netconfig) HotEmailRecipient
smtp Need Example.? default = NULL ICMPAsymPayload
icmp Payload in echo req-resp not the same ICMPConnectionPair
icmp Too many ICMPs between hosts (default = 200) IdentSensitiveID
ident Sensitive username in Ident lookup LocalWorm
worm Worm seen in local host (searches for code red 1, code red 2, nimda, slammer) LoginForbiddenButConfused
login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error. MultipleSigResponders
signatures host has triggered the same signature on multiple responders MultipleSignatures
signatures host has triggered many signatures Multiple SigResponders
signatures host has triggered the same signature on multiple responders OutboundTFTP
tftp outbound TFTP seen PasswordGuessing
scan source tried too many user/password combinations (default = 25) PortScan
scan the source has scanned a number of ports RemoteWorm
worm worm seen in remote host ResolverInconsistency
dns the answer returned by a DNS server differs from one previously returned ResourceSummary
print-resources prints Bro resource usage RetransmissionInconsistency
weird possible evasion; usually just bad TCP implementation SSL_SessConIncon
ssl session data not consistent with connection SSL_X509Violation
ssl blanket X509 error ScanSummary
scan a summary of scanning activity, output once / day SensitiveConnection
conn connection marked "hot", See: Reference Manual section on hot ids for more information. SensitiveDNS_Lookup
dns DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL (what is an example of a sensitive host?) SensitiveLogin
login interactive login using sensitive username (defined in 'hot') SensitivePortmapperAccess
portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive SensitiveSignature
signatures generic for alarm-worthy SensitiveUsernameInPassword
login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username. SignatureSummary
signatures summarize number of times a host triggered a signature (default = 1/day) SynFloodEnd
synflood end of syn-flood against a certain victim. A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP. SynFloodStart
synflood start of syn-flood against a certain victim SynFloodStatus
synflood report of ongoing syn-flood TRWAddressScan
trw source flagged as scanner by TRW algorithm TRWScanSummary
trw summary of scanning activities reported by TRW TerminatingConnection
conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?) W32B_SourceLocal
blaster report a local W32.Blaster-infected host W32B_SourceRemote
blaster report a remote W32.Blaster-infected host WeirdActivity
Weird generic unusual, alarm-worthy activity