Bro User Manual

Node: Notices, Next: Notice Actions, Previous: Policy Files, Up: Customizing Bro

Notices

The primary output facility in Bro is called a Notice. The Bro distribution includes a number of standard of Notices, listed below. The table contains the name of the Notice, what Bro policy file generates it, and a short description of what the Notice is about.

Notice Policy Description
AckAboveHole weird Could mean packet drop; could also be a faulty TCP implementation
AddressDropIgnored scan A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can_drop_connectivity, or never_shut_down, or never_drop_nets )
AddressDropped scan Connectivity w/ given address has been dropped
AddressScan scan The source has scanned a number of addrs
BackscatterSeen scan Apparent flooding backscatter seen from source
ClearToEncrypted_SS stepping A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
ContentGap weird Data has sequence hole; perhaps due to filtering
CountSignature signatures Signature has triggered multiple times for a destination
DNS_MappingChanged DNS Some sort of change WRT previous Bro lookup
DNS_PTR_Scan dns Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
DroppedPackets netstats Number of packets dropped as reported by the packet filter
FTP_BadPort ftp Bad format in PORT/PASV;
FTP_ExcessiveFilename ftp Very long filename seen
FTP_PrivPort ftp Privileged port used in PORT/PASV
FTP_Sensitive ftp Sensitive connection (as defined in hot)
FTP_UnexpectedConn ftp FTP data transfer from unexpected src
HTTP_SensitiveURI http Sensitive URI in GET/POST/HEAD (default sensitive URIs defined http-request.bro; e.g.: /etc.*\/.*(passwd|shadow|netconfig)
HotEmailRecipient smtp Need Example.? default = NULL
ICMPAsymPayload icmp Payload in echo req-resp not the same
ICMPConnectionPair icmp Too many ICMPs between hosts (default = 200)
IdentSensitiveID ident Sensitive username in Ident lookup
LocalWorm worm Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
LoginForbiddenButConfused login Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
MultipleSigResponders signatures host has triggered the same signature on multiple responders
MultipleSignatures signatures host has triggered many signatures
Multiple SigResponders signatures host has triggered the same signature on multiple responders
OutboundTFTP tftp outbound TFTP seen
PasswordGuessing scan source tried too many user/password combinations (default = 25)
PortScan scan the source has scanned a number of ports
RemoteWorm worm worm seen in remote host
ResolverInconsistency dns the answer returned by a DNS server differs from one previously returned
ResourceSummary print-resources prints Bro resource usage
RetransmissionInconsistency weird possible evasion; usually just bad TCP implementation
SSL_SessConIncon ssl session data not consistent with connection
SSL_X509Violation ssl blanket X509 error
ScanSummary scan a summary of scanning activity, output once / day
SensitiveConnection conn connection marked "hot", See: Reference Manual section on hot ids for more information.
SensitiveDNS_Lookup dns DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL (what is an example of a sensitive host?)
SensitiveLogin login interactive login using sensitive username (defined in 'hot')
SensitivePortmapperAccess portmapper the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
SensitiveSignature signatures generic for alarm-worthy
SensitiveUsernameInPassword login During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
SignatureSummary signatures summarize number of times a host triggered a signature (default = 1/day)
SynFloodEnd synflood end of syn-flood against a certain victim. A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
SynFloodStart synflood start of syn-flood against a certain victim
SynFloodStatus synflood report of ongoing syn-flood
TRWAddressScan trw source flagged as scanner by TRW algorithm
TRWScanSummary trw summary of scanning activities reported by TRW
TerminatingConnection conn "rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
W32B_SourceLocal blaster report a local W32.Blaster-infected host
W32B_SourceRemote blaster report a remote W32.Blaster-infected host
WeirdActivity Weird generic unusual, alarm-worthy activity

Notice	Policy	Description
`AckAboveHole`	weird	Could mean packet drop; could also be a faulty TCP implementation
`AddressDropIgnored`	scan	A request to drop connectivity has been ignored ; (scan detected, but one of these flags is true: !can_drop_connectivity, or never_shut_down, or never_drop_nets )
`AddressDropped`	scan	Connectivity w/ given address has been dropped
`AddressScan`	scan	The source has scanned a number of addrs
`BackscatterSeen`	scan	Apparent flooding backscatter seen from source
`ClearToEncrypted_SS`	stepping	A stepping stone was seen in which the first part of the chain is a clear-text connection but the second part is encrypted. This often means that a password or passphrase has been exposed in the clear, and may also mean that the user has an incomplete notion that their connection is protected from eavesdropping.
`ContentGap`	weird	Data has sequence hole; perhaps due to filtering
`CountSignature`	signatures	Signature has triggered multiple times for a destination
`DNS_MappingChanged`	DNS	Some sort of change WRT previous Bro lookup
`DNS_PTR_Scan`	dns	Summary of a set of PTR lookups (automatically generated once/day when dns policy is loaded)
`DroppedPackets`	netstats	Number of packets dropped as reported by the packet filter
`FTP_BadPort`	ftp	Bad format in PORT/PASV;
`FTP_ExcessiveFilename`	ftp	Very long filename seen
`FTP_PrivPort`	ftp	Privileged port used in PORT/PASV
`FTP_Sensitive`	ftp	Sensitive connection (as defined in hot)
`FTP_UnexpectedConn`	ftp	FTP data transfer from unexpected src
`HTTP_SensitiveURI`	http	Sensitive URI in GET/POST/HEAD (default sensitive URIs defined http-request.bro; e.g.: /etc.\/.(passwd\|shadow\|netconfig)
`HotEmailRecipient`	smtp	Need Example.? default = NULL
`ICMPAsymPayload`	icmp	Payload in echo req-resp not the same
`ICMPConnectionPair`	icmp	Too many ICMPs between hosts (default = 200)
`IdentSensitiveID`	ident	Sensitive username in Ident lookup
`LocalWorm`	worm	Worm seen in local host (searches for code red 1, code red 2, nimda, slammer)
`LoginForbiddenButConfused`	login	Interactive login seen using forbidden username, but the analyzer was confused in following the login dialog, so may be in error.
`MultipleSigResponders`	signatures	host has triggered the same signature on multiple responders
`MultipleSignatures`	signatures	host has triggered many signatures
`Multiple SigResponders`	signatures	host has triggered the same signature on multiple responders
`OutboundTFTP`	tftp	outbound TFTP seen
`PasswordGuessing`	scan	source tried too many user/password combinations (default = 25)
`PortScan`	scan	the source has scanned a number of ports
`RemoteWorm`	worm	worm seen in remote host
`ResolverInconsistency`	dns	the answer returned by a DNS server differs from one previously returned
`ResourceSummary`	print-resources	prints Bro resource usage
`RetransmissionInconsistency`	weird	possible evasion; usually just bad TCP implementation
`SSL_SessConIncon`	ssl	session data not consistent with connection
`SSL_X509Violation`	ssl	blanket X509 error
`ScanSummary`	scan	a summary of scanning activity, output once / day
`SensitiveConnection`	conn	connection marked "hot", See: Reference Manual section on hot ids for more information.
`SensitiveDNS_Lookup`	dns	DNS lookup of sensitive hostname/addr; default list of sensitive hosts = NULL (what is an example of a sensitive host?)
`SensitiveLogin`	login	interactive login using sensitive username (defined in 'hot')
`SensitivePortmapperAccess`	portmapper	the given combination of the service looked up via the pormapper, the host requesting the lookup, and the host from which it's requiesting it is deemed sensitive
`SensitiveSignature`	signatures	generic for alarm-worthy
`SensitiveUsernameInPassword`	login	During a login dialog, a sensitive username (e.g., "rewt") was seen in the user's password. This is reported as a notice because it could be that the login analyzer didn't track the authentication dialog correctly, and in fact what it thinks is the user's password is instead the user's username.
`SignatureSummary`	signatures	summarize number of times a host triggered a signature (default = 1/day)
`SynFloodEnd`	synflood	end of syn-flood against a certain victim. A syn-flood is defined to be more than SYNFLOOD_THRESHOLD (default = 15000) new connections have been reported within the last SYNFLOOD_INTERVAL (default = 60 seconds) for a certain IP.
`SynFloodStart`	synflood	start of syn-flood against a certain victim
`SynFloodStatus`	synflood	report of ongoing syn-flood
`TRWAddressScan`	trw	source flagged as scanner by TRW algorithm
`TRWScanSummary`	trw	summary of scanning activities reported by TRW
`TerminatingConnection`	conn	"rst" command sent to connection origin, connection terminated, triggered in the following policies: ftp and login: forbidden user id, hot (connection from host with spoofed IP address?)
`W32B_SourceLocal`	blaster	report a local W32.Blaster-infected host
`W32B_SourceRemote`	blaster	report a remote W32.Blaster-infected host
`WeirdActivity`	Weird	generic unusual, alarm-worthy activity