# ./bro -r /home/zhangwei/bro0907.dump
generate the "alerts" as following:
1094539834.607852 weird: spontaneous_FIN
1094539847.830742 weird: possible_split_routing
These are not "alerts" but rather "weird"'s - that is, messages that
reflect unusual/broken activity.
First,are the terms which i use right,such as "event" ,"alerts"?
Per the above, those are "weird"'s. Perhaps there's a better name to use;
in the future, they might be merged with the "NOTICE" framework (which
is called ALERT in the present release, but this changes with the next
release).
Second,whether can I generate those alerts directly?
If can,which command should i use? Or how to modify the source code?
I don't know what you mean by "directly" here.
If you mean in your policy script, you do so by calling ALERT().
Vern