I did. I have also put it back into standalone mode to see if that did it… No luck.
/opt/bro2/share/bro/site# cat local.bro
##! Local site policy. Customize as appropriate.
##!
##! This file will not be overwritten when upgrading or reinstalling!
This script logs which scripts were loaded during each run.
@load misc/loaded-scripts
Apply the default tuning scripts for common tuning settings.
@load tuning/defaults
Load the scan detection script.
@load misc/scan
Log some information about web applications being used by users
on your network.
@load misc/app-stats
Detect traceroute being run on the network.
@load misc/detect-traceroute
Generate notices when vulnerable versions of software are discovered.
The default is to only monitor software found in the address space defined
as “local”. Refer to the software framework’s documentation for more
information.
@load frameworks/software/vulnerable
Detect software changing (e.g. attacker installing hacked SSHD).
@load frameworks/software/version-changes
This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells
Uncomment the following line to begin receiving (by default hourly) emails
containing all of your notices.
redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };
Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
The detect-webapps script could possibly cause performance trouble when
running on live traffic. Enable it cautiously.
#@load protocols/http/detect-webapps
This script detects DNS results pointing toward your Site::local_nets
where the name is not part of your local DNS zone and is being hosted
externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names
Script to detect various activity in FTP sessions.
@load protocols/ftp/detect
Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs
This script enables SSL/TLS certificate validation.
@load protocols/ssl/validate-certs
Uncomment the following line to check each SSL certificate hash against the ICSI
@load protocols/ssl/notary
If you have libGeoIP support built in, do some geographic detections and
logging for SSH traffic.
@load protocols/ssh/geo-data
Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing
Detect logins using “interesting” hostnames.
@load protocols/ssh/interesting-hostnames
Detect SQL injection attacks.
@load protocols/http/detect-sqli
Network File Handling
Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files
Detect SHA1 sums in Team Cymru’s Malware Hash Registry.
@load frameworks/files/detect-MHR
@load policy/integration/barnyard2
redef Communication::nodes += {
[“local”] = [$host=127.0.0.1, $class=“barnyard”, $events=/Barnyard2::barnyard_alert/, $connect = F]
};