In an older implementation of Bro we had some lines in our site file that would “redef” a notice policy to add criteria to the notice, i.e. if the notice was for a SQL_Injection_Victim AND the resp_h was in a particular subnet, then trigger the notice. I’ve been testing 2.2 (the upgrade from 2.1 to 2.2 went smoothly) and trying to figure out the best way to duplicate that functionality. It seems it would be done with a hook, but do I have to first add it to ignored_types and then re-raise it? Or am I barking up the wrong tree entirely?
In a general sense I guess I’m asking how best to modify the criteria for an existing notice?