Policy Files

Bro policy script is the basic analyzer used by Bro to determine what network events are alarm worthy. A policy can also specify what actions to take and how to report activities, as well as determine what activities to scrutinize. Bro uses policies to determine what activities to classify as hot, or questionable in intent. These hot network sessions can then be flagged, watched, or responded to via other policies or applications determined to be necessary, such as calling rst to reset a connection on the local side, or to add an IP address block to a main router's ACL (Access Control List). The policy files use the Bro scripting language, which is discussed in great detail in The Bro Reference Manual.

Policy file are loaded using an @load command. The semantics of @load are "load in this script if it hasn't already been loaded", so there is no harm in loading something in multiple policy scripts. The following policy scripts are included with Bro. The first set are all on by default, and the second group can be added by adding them to your site/local.site.bro policy file.

Bro Analyzers are described in detail in the Reference Manual. These policy files are loaded by default:

site	defines local and neighbor networks from static config
alarm	open logging file for alarm events
tcp	initialize BPF filter for SYN/FIN/RST TCP packets
login	rlogin/telnet analyzer (or to ensure they are disabled)
weird	initialize generic mechanism for detecting unusual events
conn	access and record connection events
hot	defines certain forms of sensitive access
frag	process TCP fragments
print-resources	on exit, print resource usage information, useful for tuning
signatures	the signature policy engine
scan	generic scan detection mechanism
trw	additional, more sensitive scan detection
http	general http analyzer, low level of detail
http-request	detailed analysis of http requests
http-reply	detailed analysis of http replys
ftp	FTP analysis
portmapper	record and analyze RPC portmapper requests
smtp	record and analyze email traffic
tftp	identify and log TFTP sessions
worm	flag HTTP-based worm sources such as Code Red
software	track software versions; required for some signature matching
blaster	looks for blaster worm
synflood	looks for synflood attacks
stepping	used to detect when someone logs into your site from an external net, and then soon logs into another site
reduce-memory	sets shorter timeouts for saving state, thus saving memory. If your Bro is using < 50% of you RAM, try not loading this

These are not loaded by default:

Policy	Description		Why off by default
drop	Include if site has ability to drop hostile remotes		Turn on if needed
icmp	icmp analysis		CPU intensive and low payoff
dns	DNS analysis		CPU intensive and low payoff
ident	ident program analyzer		historical, no longer interesting
gnutella	looks for hosts running Gnutella		Turn this on if you want to know about this
ssl	ssl analyzer		still experimental
ssh-stepping	Detects stepping stones where both incoming and outgoing connections are ssh		Possibly too CPU intensive (needs more testing)
analy	Performs statistical analysis		only used in off-line alalysis
backdoor	Looks for backdoors		only effective when also capturing bulk traffic
passwords	Looks for clear text passwords		may want to turn on if your site does not allow clear text passwords
file-flush	Causes all log files to be flushed every N seconds		may want to turn on if you are doing "real time" analysis

To modify which analyzers are loaded, edit or create a file in BROHOME/site. If you write your own new custom analyzer, it goes in this directory too. To disable an analyzer, add "@unload policy.bro" to the beginning of the file BROHOME/brohost.bro, before the line "@load brolite.bro". To add additional analyzers, add them @load them in BROHOME/site/local.site.bro.