Has anyone built a list of the possible messages that bro can generate
If you mean the events generated by the event engine, just look in bro.init
for the event handlers it defines. (Look also for the many "weird" events,
listed in weird.bro.) If you mean the messages generated by the default
policy scripts, the only way to determine those is to grep the scripts for
"log" and "print", unfortunately.
(and possibly some interpretations?)
This, alas, is a significant shortcoming. The only documentation is
the Bro paper and in the source code (and some in the policy scripts).
After the Adelaide IETF (which I'm leaving for in another hour), I will
have a major portion of my time freed up, and the #1 project for how to
use that time is to write a comprehensive user manual.
anyone could explain what "telnet ack above a hole" means, I'd appreciate
This means that Bro saw an acknowledgement for sequence # S, but the maximum
data it saw the sender transmit was S', for S' < S. This should never occur
for a correctly functioning TCP. Unfortunately, there *are* incorrectly
functioning TCPs that will sometimes do this; and, sometimes Bro gets confused
(when connections are reused) and erroneously generates this message; *and*,
it can also occur when the packet filter has dropped packets (i.e., data S
was in fact sent, but Bro never saw it). It's this last that motivated
checking for the condition and genreating the message - because it often
is telling you that Bro is dropping packets, which, unfortunately, the packet
filter sometimes itself doesn't know (i.e., the drop statistics are not