Signature "action" levels are controlled by the file $BROHOME/site/sigaction.bro
.
You can set the signature action to the one of the following:
SIG_IGNORE # ignore this sig. completely SIG_FILE # write to signatures and notice files SIG_ALARM # alarm and write to notice and alarm files SIG_ALARM_PER_ORIG # alarm once per originator SIG_ALARM_ONCE # alarm once and then never again
All signatures default to action = SIG_ALARM
. To lower the alarm level of the signature,
add an entry to the file $BROHOME/site/sigaction.bro
. The Bro distribution
contains a default sigaction.bro file that lowers the level of a number of signatures from ALARM
to FILE (notice) .
To permanently remove a signature you can delete it from the .sig
file.