-
Notifications
You must be signed in to change notification settings - Fork 1
/
bro-1.5.cfg
149 lines (112 loc) · 4.13 KB
/
bro-1.5.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Source file config for running bro
# host only format
BRO_HOSTNAME=`hostname | awk -F. ' { print } '`
# FQDN format
# HOSTNAME=`hostname`
# Directory containing Bro binaries
BRO_BIN_DIR="/usr/bin"
# Filename of the Bro start policy
# START_POLICY="default.bro"
BRO_START_POLICY="localhost.bro"
# Directory containing Bro logs
BROLOGS="/var/log/bro"
export BROLOGS
# Log archive directory
BRO_LOG_ARCHIVE="/var/log/bro/archive"
# Directory containing Bro signature files
BRO_SIG_DIR="/usr/share/bro/sigs"
# Bro policy paths
# Location of site specific policy and configurations
BROSITE="/var/lib/bro/site"
# Location of host specific policy and configurations
BROHOST="/var/lib/bro/host"
BROPATH="${BROSITE}:${BROHOST}:/usr/share/bro/site:/usr/share/bro"
export BROPATH
# A prefix to use when looking for local policy files to load.
# BRO_PREFIX="local"
# Location of the Bro executable
BRO="${BRO_BIN_DIR}/bro"
# Base command line options.
BRO_ADD_OPTS=" -W"
# Turn on Bro's Watchdog feature
BRO_OPTS="${BRO_ADD_OPTS}"
# Interface name to listen on. The default is to use the busiest one found.
BRO_CAPTURE_INTERFACE="eth0"
# Multiple interface should be specified as a space delimited list.
# Examples:
# CAPTURE_INTERFACE="sk0 sk1 sk5"
# CAPTURE_INTERFACE="eth0 eth3"
# CAPTURE_INTERFACE="eth0"
# If set to YES and there are any signature files ending with .bro in $SIG_DIR
# then they will be started with bro. Set to NO to disable signatures
# Set to YES to enable bro to run with 'signature matching' on (YES/NO)
BRO_USE_SIGNATURES=YES
# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
BRO_CREATE_TRACE_FILE=NO
# How long to wait during checkpointing after startin a new Bro process and
# stopping the old one. This value is in seconds
BRO_CHECKPOINT_OVERLAP_TIME=20
# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
BRO_REPORT_START_TIME=0010
# How often (in hours) to generate an activity report
BRO_REPORT_INTERVAL=24
# This is the how often to rotate the logs (in hours)
BRO_LOG_ROTATE_INTERVAL=24
# This is the how often to restart bro (in hours)
BRO_CHECKPOINT_INTERVAL=24
# The maximum time allowed for a Bro process to cleanup and exit
# This value is in seconds
BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours
# Use this to enable the init script to autorestart Bro in the event of an
# unexpected shutdown. The value should be YES or NO
BRO_ENABLE_AUTORESTART="YES"
# A value less than 1 means there will be no limit to the number of restarts
# Maximum times to try to auto-restart Bro before giving up.
BRO_MAX_RESTART_ATTEMPTS=-1
# Location of the run-time variable directory. This is normally /var/run/bro
# and contains the pidfile and other temporal data.
BRO_RUNTIME_DIR="/var/run/bro"
# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="root@localhost"
# Email address to send from
BRO_EMAIL_FROM="bro@localhost"
# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="NO"
# Email address for remote reports to be mailed to
BRO_EMAIL_REMOTE="[email protected]"
# User id to install and run Bro under
BRO_USER_ID="bro"
# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
BRO_SITE_NAME=""
# Do you want to encrypt email reports (YES/NO)
BRO_ENCRYPT_EMAIL="NO"
# Location of GPG binary or encrypting email
BRO_GPG_BIN="/usr/bin/gpg"
# Default BPF buffer
BRO_BPF_BUFSIZE=4194304
# Do BPF bonding
BRO_BPFBOND_ENABLE="NO"
# Interfaces to bond
BRO_BPFBOND_FLAGS="em0 em1"
# diskspace management settings
# Should I manage diskspace
BRO_DISKSPACE_ENABLE="YES"
# percent full to worry about
BRO_DISKSPACE_PCT=90
# account watching disk space
BRO_DISKSPACE_WATCHER="root"
# days before deleting old logs
BRO_DAYS_2_DELETION=45
# days before compressing logs
BRO_DAYS_2_COMPRESSION=20
# Bulk data capture settings
# Buld data directory
BRO_BULK_DIR="${BROLOGS}/bulk-trace"
# Capture filter for bulk data
BRO_BULK_CAPTURE_FILTER=""
# days before deleting bulk data
BRO_BULK_DAYS_2_DELETION=4
# days before compressing bulk data
BRO_BULK_DAYS_2_COMPRESSION=2
# location of sorted log files, needed by Brooery
BROOERY_LOGS="${BROLOGS}/sorted-logs"