There are a number of things you may wish to customize.
hot_ids
The policy file hot-ids.bro
contains a number of constants that you
might want to customize by "redef"ing them in your local.site.bro policy file.
These are all used to generate FTP and login alarms (SensitiveConnection Notice)
for suspicious users.
The user ID's that are in hot_ids
and not in always_hot_ids
are only hot upon successful login. For details see the
Bro Reference Manual.
constant Defaults forbidden_ids "uucp", "daemon", "rewt", "nuucp", "EZsetup", "OutOfBox", "4Dgifts", "ezsetup", "outofbox", "4dgifts", "sgiweb" "r00t", "ruut", "bomb", "backdoor", "bionic", "warhead", "check_mate", "checkmate", "check_made", "themage", "darkmage", "y0uar3ownd", "netfrack", "netphrack" always_hot_ids "lp", "demos", "retro", "milk", "moof", "own", "gdm", "anacnd", + forbidden_ids above hot_ids "root", "system", "smtp", "sysadm", "diag", "sysdiag", "sundiag", "sync", "tutor", "tour", "operator", "sys", "toor", "issadmin", "msql", "sysop", "sysoper", + always_hot_ids
Input/Output Strings
The policy files login.bro and ftp.bro both contain a list of input and output strings
that indicate suspicious activity. In you wish to add anything to this list, you
may want to redef
one of these.
login.bro: see input_trouble and output_trouble ftp.bro: see ftp_hot_files
Sensitive URIs
The policy file http-request.bro contain a list of http URI's
that indicate suspicious activity. In you wish to add anything to this list, you
may want to redef
one of these.
sensitive_URIs sensitive_post_URIs
Other
redef
this to rotate the log files every N seconds
log_rotate_interval (default = 0 sec, don't rotate)
redef
this to rotate the log files when they get this big
log_max_size (default = 250e6, rotate when any file exceeds 250 MB)