# Bro Lite base configuration file. # General policy - these scripts are more infrastructural than service # oriented, so in general avoid changing anything here. @load site # defines local and neighbor networks from static config @load tcp # initialize BPF filter for SYN/FIN/RST TCP packets @load weird # initialize generic mechanism for unusual events @load conn # access and record connection events @load hot # defines certain forms of sensitive access @load frag # process TCP fragments @load print-resources # on exit, print resource usage information # Scan detection policy. @load scan # generic scan detection mechanism @load trw # additional, more sensitive scan detection #@load drop # include if installation has ability to drop hostile remotes # Application level policy - these scripts operate on the specific service. @load http # general http analyzer, low level of detail @load http-request # detailed analysis of http requests @load http-reply # detailed analysis of http reply's # Track software versions; required for some signature matching. Also # can be used by http and ftp policies. @load software @load ftp # FTP analysis @load portmapper # record and analyze RPC portmapper requests @load tftp # identify and log TFTP sessions @load login # rlogin/telnet analyzer @load irc # IRC analyzer @load blaster # blaster worm detection @load stepping # "stepping stone" detection @load synflood # synflood attacks detection @load smtp # record and analyze email traffic - somewhat expensive @load notice-policy # tuning of notices to downgrade some alarms # off by default #@load icmp # icmp analysis # Tuning of memory consumption. @load inactivity # time out connections for certain services more quickly # @load print-globals # on exit, print the size of global script variables # Record system statistics to the notice file @load stats # udp analysis - potentially expensive, depending on a site's traffic profile #@load udp.all #@load remove-multicast # Prints the pcap filter and immediately exits. Not used during # normal operation. #@load print-filter ## End policy script loading. ## General configuration. @load rotate-logs redef log_rotate_base_time = "0:00"; redef log_rotate_interval = 24 hr; # Set additional policy prefixes. @prefixes += lite ## End basic configuration. ## Scan configuration. @ifdef ( Scan::analyze_all_services ) redef Scan::analyze_all_services = T; # The following turns off scan detection. #redef Scan::suppress_scan_checks = T; # Be a bit more aggressive than default (though the defaults # themselves should be fixed). redef Scan::report_outbound_peer_scan = { 100, 1000, }; # These services are skipped for scan detection due to excessive # background noise. redef Scan::skip_services += { http, # Avoid Code Red etc. overload 27374/tcp, # Massive scanning in Jan 2002 1214/tcp, # KaZaa scans 12345/tcp, # Massive scanning in Apr 2002 445/tcp, # Massive distributed scanning Oct 2002 135/tcp, # These days, NetBIOS scanning is endemic 137/udp, # NetBIOS 139/tcp, # NetBIOS 1025/tcp, 6129/tcp, # Dameware 3127/tcp, # MyDoom worms worms worms! 2745/tcp, # Bagel worm 1433/tcp, # Distributed scanning, April 2004 5000/tcp, # Distributed scanning, May 2004 5554/tcp, # More worm food, May 2004 9898/tcp, # Worms attacking worms. ugh - May 2004 3410/tcp, # More worm food, June 2004 3140/tcp, # Dyslexic worm food, June 2004 27347/tcp, # Can't kids type anymore? 1023/tcp, # Massive scanning, July 2004 17300/tcp, # Massive scanning, July 2004 }; @endif @ifdef ( ICMP::detect_scans ) # Whether to detect ICMP scans. redef ICMP::detect_scans = F; redef ICMP::scan_threshold = 100; @endif @ifdef ( TRW::TRWAddressScan ) # remove logging TRW scan events redef notice_action_filters += { [TRW::TRWAddressScan] = ignore_notice, }; @endif # Note: default scan configuration is conservative in terms of memory use and # might miss slow scans. Consider uncommenting these based on your sites scan # traffic. #redef distinct_peers &create_expire = 30 mins; #redef distinct_ports &create_expire = 30 mins; #redef distinct_low_ports &create_expire= 30 mins; ## End scan configuration. ## additional IRC checks redef IRC::hot_words += /.*exe/ ; ## Dynamic Protocol Detection configuration # # This is off by default, as it requires a more powerful Bro host. # Uncomment next line to activate. # const use_dpd = T; @ifdef ( use_dpd ) @load dpd @load irc-bot @load dyn-disable @load detect-protocols @load detect-protocols-http @load proxy @load ssh # By default, DPD looks at all traffic except port 80. # For lightly loaded networks, comment out the restrict_filters line. # For heavily loaded networks, try adding addition ports (e.g., 25) to # the restrict filters. redef capture_filters += [ ["tcp"] = "tcp" ]; redef restrict_filters += [ ["not-http"] = "not (port 80)" ]; @endif @ifdef ( ProtocolDetector::ServerFound ) # Report servers on non-standard ports only for local addresses. redef notice_policy += { [$pred(a: notice_info) = { return a$note == ProtocolDetector::ServerFound && ! is_local_addr(a$src); }, $result = NOTICE_FILE, $priority = 1], # Report protocols on non-standard ports only for local addresses # (unless it's IRC). [$pred(a: notice_info) = { return a$note == ProtocolDetector::ProtocolFound && ! is_local_addr(a$dst) && a$sub != "IRC"; }, $result = NOTICE_FILE, $priority = 1], }; @endif # The following is used to transfer state between Bro's when one # takes over from another. # # NOTE: not implemented in the production version, so ignored for now. @ifdef ( remote_peers_clear ) redef remote_peers_clear += { [127.0.0.1, 55555/tcp] = [$hand_over = T], [127.0.0.1, 0/tcp] = [$hand_over = T] }; @endif # Use tagged log files for notices. redef use_tagging = T;