Node: The bro/logs Directory, Next: The bro/archive Directory, Previous: The bro/site Directory, Up: Bro Directory and Files
All logs take the form
type.hostname.start_date/time-end_date/timeThe date/time stamps for each record in the files are always in UNIX (ticks since epoch) format.
Network occurrences that are determined to be of high importance will be written into the alarm file. The determination is made by the Bro policy scripts. Local site modifications can override default Bro alarms or create new ones that are site specific. Each entry contains the date/time, the alarm type, and a description of the alarm. This file is usually the "starting point" for investigation. Each alarm should be evaluated for further follow-up action.
All network connections detected by Bro are recorded in this file. A connection is defined by an initial packet that attempts to set up a session and all subsequent packets that take part in the session. Initial packets that fail to set up a session are also recorded as connections and are tagged with a failure state that designates the reason for failure. Each entry contains the following data describing the connection: date/time, the duration of the connection, the local and remote ip addresses and ports, bytes transferred in each direction, the transport protocol (udp, tcp), the final state of the connection, and other information describing the connection. This file is often used in forensic analysis to determine network activity by a suspect host beyond the immediate alarm.
All transactions involving the well known ftp control port (21) are recorded into this file. Each entry is marked by an arbitrary session number, allowing full ftp control sessions to be reconstructed. Each entry contains the date/time, a session number, and ftp connection information or the specific ftp commands transferred. This file is often used to examine details of suspect ftp sessions.
All transaction involving the well known http ports (80, 8000, 8080) are recorded into this file. Each entry is marked by an arbitrary session number, allowing the full http session to reconstructed Each entry contains the date/time, a session number, and http connection information or the specific http commands transferred. This file is often used to examine details of suspect web sessions.
This file contains information concerning the operation of Bro during the time interval covered by the file. The entries will consist of the Bro version number, startup information, and Bro runtime warnings and errors. This file is helpful in troubleshooting Bro operational difficulties.
Network occurrences that are determined to be of nominal importance will be written into the notice file. The determination is made by the Bro policy scripts. Local site modifications can override default Bro alarms or create new ones that are site specific. The notice files are similar to the alarm files, but of lesser importance. Each entry contains the date/time, a notice type, a notice action, the local and remote ip addresses and ports. Optionally, depending on the type of notice, an entry might contain information about user, filename, method, URL, and other messages. This file alerts to occurrences that are worth noting, but do not warrant an alarm.
This file contains information associated with specific signature matches. These matches do not necessarily correspond to all alarms or notices, only to those that are triggered by a signature. Each entry contains the date/time, a description of the signature, the local and remote ip addresses and ports, the signature id number (if available), a description of the signature trigger, a portion of the offending payload data, a count of that particular signature, and a count of the number of involved hosts. This file gives details that are helpful in evaluating if an event triggered by a signature match is a false- positive.
All transactions involving the well known smtp port (25) are recorded into this file. Each entry is marked by an arbitrary session number, allowing full smtp sessions to be reconstructed. Each entry contains the date/time, a session number, and smtp connection information or the specific smtp commands transferred. This file is often used to examine details of suspect mail sessions.
This file is a record of all unique host/software pairs detected by Bro during the time interval covered by the file. Each entry in the file contains the date/time, the ip address of the host, and information about the software detected. This file can be useful for cataloging network software. However, population of this file on a busy network often results in a huge number of entries. Since the relative daily usefulness of the file usually does not warrant the disk space it consumes, the software file is turned off by default. It can be turned on by <<<instructions>>>
Network events that are unusual or exceptional are recorded in this file. A number of these events "shouldn't" or even "can't" happen according to accepted protocol definitions, yet they do. Each entry in the file contains the date/time, the local and remote ip addresses and ports, and a short description of the weird activity. This file is useful for detecting odd behavior that might normally "fly under the radar" and also for getting a general sense of the amount of "garbage" that is on the network.
Bro's worm.bro policy detects patterns generated by
specific worms and records the instance in this file.
Currently, the worms detected are code red1, code red2,
nimda, and slammer.
Each entry in the file contains the date/time, the worm
detected, and the source ip address of the worm.
This file is useful for spotting hosts that have been
infected with worms.
Other files in the /logs directory are:
To be completed
To be completed