doubt regarding notice alarm always

Hi,

I Started a server on the machine(system 1) where bro is running. I
tried to access to that from other system (system 2).

I observed that it is logged as notice alarm always like

t=1195051259.323269 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=157.182.235.186 da=157.182.235.207 method=GET url=/icons/blank.gif
msg=157.182.235.186\ ->\ 157.182.235.207\ %232:\ <no\ reply>

t=1195051259.323269 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS
sa=157.182.235.186 da=157.182.235.207 method=GET url=/icons/folder.gif
msg=157.182.235.186\ ->\ 157.182.235.207\ %232:\ <no\ reply>

Here system 1 is 157.182.235.207 and system 2 is 157.182.235.186

Few questions regarding the above data

1. On what based it is logged as notice alarm always.

2. I think t stand for time... can I know in what format it is logged.

3. msg=157.182.235.186\ ->\ 157.182.235.207\ %232: in this message
what is %232. Is that is session id.

4. I am getting as 2 different url like url=/icons/folder.gif and
url=/icons/blank.gif why is it logging so.

Sorry to take your valuable time.

Thanks & Regards,
Kanthi.

1. On what based it is logged as notice alarm always.

NOTICE_ALARM_ALWAYS is the default if you don't define anything
else. You can change what an alert is mapped to by defining a
notice_policy; see notice-policy.bro for examples.

2. I think t stand for time... can I know in what format it is logged.

It's seconds since Jan 1 1970. Bro comes with a tool in aux/cf which
converts them into human-readable:

         > echo "1195051259.323269" | ./cf
         Nov 14 06:40:59

3. msg=157.182.235.186\ ->\ 157.182.235.207\ %232: in this message
what is %232. Is that is session id.

Correct.

4. I am getting as 2 different url like url=/icons/folder.gif and
url=/icons/blank.gif why is it logging so.

Seems that both match HTTP::sensitive_URIs. Have you changed the
default for that?

Robin