I think I post similar questions before to ask disable default log option.
Now, I am wondering what logs under which bro installation directories are enabled by default. I am little confused on the Bro 2.0 policy script hierarchy (so perhaps we should include this description in the documentation?)
For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the “base” one is for basic ssh event while the “policy” one include some detection rules, such as bruteforce attacks. If I want to use them, do I have to include them, or they are already been included by default?
For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the "base" one is for basic ssh event while the "policy" one include some detection rules, such as bruteforce attacks.
Yeah, the general idea is that scripts under base/ are mostly for basic state tracking and logging, while ones under policy/ do more advanced/specific things.
If I want to use them, do I have to include them, or they are already been included by default?
Using bro on the command line, everything in base/ is loaded by default (overridden with the -b option), but nothing in policy/.
The site/local.bro script will load most everything in policy/ and by default that's loaded if you use broctl.
Now, I am wondering what logs under which bro installation directories are enabled by default. I am little confused on the Bro 2.0 policy script hierarchy (so perhaps we should include this description in the documentation?)
Yes, that's something that we still need to document very clearly. Fortunately there is a clear answer!
For example, I find a ssh bro policy under base/protocols/ssh and policy/protocols/ssh. I guess the "base" one is for basic ssh event while the "policy" one include some detection rules, such as bruteforce attacks.
Script in base/protocols (the "base scripts") take care of a lot of the legwork of enabling and configuring the core analyzers. They also create one or more log files to log something about the protocol and they create and populate the connection record extensions like c$ssl, c$http, s$smtp. There is still a bit of detection being done in a few of the base scripts, but over time we will pull the rest of that out into the scripts in the policy/ directory. The best way to think of what they do is provide very basic non-detection oriented functionality.
You had the basic idea right.
If I want to use them, do I have to include them, or they are already been included by default?
Every single script in base/ is included by default (but you can even turn those off if you are really interested in it).
