hook vs. redef

In an older implementation of Bro we had some lines in our site file that would “redef” a notice policy to add criteria to the notice, i.e. if the notice was for a SQL_Injection_Victim AND the resp_h was in a particular subnet, then trigger the notice. I’ve been testing 2.2 (the upgrade from 2.1 to 2.2 went smoothly) and trying to figure out the best way to duplicate that functionality. It seems it would be done with a hook, but do I have to first add it to ignored_types and then re-raise it? Or am I barking up the wrong tree entirely?

In a general sense I guess I’m asking how best to modify the criteria for an existing notice?



To conditionally ignore notices, you can generally handle a Notice::policy hook at a &priority greater than 10 and “break” from the hook if the notice meets criteria you deem uninteresting. That will abort all the default notice handling for that particular notice.

More documentation on hooks at: http://bro.org/sphinx/scripts/builtins.html#type-hook

- Jon