Node: Customizing Bro, Next: , Previous: Analysis of Incidents and Alarms, Up: Top



Customizing Bro

NOTE: This chapter still a rough draft and incomplete

Bro is very customizable, and there are several ways to modify Bro to suit your environment. You can write your own policy analyzers using the Bro language. Most sites will likely just want to do minor customizations, such as changing the level of an alert from "notice" to "alarm", or turning on or off particular analyzers. The chapter describes how to do these types of customizations. Information on how to write your own analyzers can be found in the Bro Reference Manual.

The default policy scripts for Bro are all in $BROHOME/policy. These files should never be edited, as your edits will be lost when you upgrade Bro. To customize Bro for your site, you should make all your changes in $BROHOME/site. Many simple changes just require you to redefine (using the redef operator, a Bro constant from a standard policy script with your own custom value. You can also write your own custom script to do whatever you want.

For example, to add "guest" to the list of forbidden_ids (user names that generate a login alarm), you do this:

    redef forbidden_ids += { "guest", };

In this chapter we give an overview of all the standard Bro policy scripts, what notices they generate, and how to customize the most commonly changed items.