BRO的local.bro 文件 /usr/local/bro/share/bro/site

! Local site policy. Customize as appropriate.

This file will not be overwritten when upgrading or reinstalling!
This script logs which scripts were loaded during each run.
此脚本记录每个运行期间加载的脚本。
@load misc/loaded-scripts

Apply the default tuning scripts for common tuning settings.
@load tuning/defaults

Estimate and log capture loss.
@load misc/capture-loss

Enable logging of memory, packet and lag statistics.
@load misc/stats

Load the scan detection script.
@load misc/scan

路由跟踪是运行在网络上的，当网络中有很多连接的时候会影响路由器的性能，谨慎开启。
performance trouble when there are a lot of traceroutes on your network.
Enable cautiously.
@load misc/detect-traceroute

当发现易受攻击的软件版本时发布通知。
Generate notices when vulnerable versions of software are discovered.
The default is to only monitor software found in the address space defined
as “local”. Refer to the software framework’s documentation for more information.
@load frameworks/software/vulnerable

*检测软件的变化
Detect software changing (e.g. attacker installing hacked SSHD).*
@load frameworks/software/version-changes

This adds signatures to detect cleartext forward and reverse windows shells.
@load-sigs frameworks/signatures/detect-windows-shells

Load all of the scripts that detect software in various protocols.
@load protocols/ftp/software
@load protocols/smtp/software
@load protocols/ssh/software
@load protocols/http/software
*The detect-webapps script could possibly cause performance trouble when
running on live traffic. Enable it cautiously.
在网络环境中使用检测程序脚本可能导致性能故障，谨慎开启。*
@load protocols/http/detect-webapps

This script detects DNS results pointing toward your Site::local_nets where the name is not part of your local DNS zone and is being hosted externally. Requires that the Site::local_zones variable is defined.
@load protocols/dns/detect-external-names

Script to detect various activity in FTP sessions.
@load protocols/ftp/detect

Scripts that do asset tracking.
@load protocols/conn/known-hosts
@load protocols/conn/known-services
@load protocols/ssl/known-certs

*This script enables SSL/TLS certificate validation.
SSL / TLS证书验证*
@load protocols/ssl/validate-certs

*This script prevents the logging of SSL CA certificates in x509.log
x509.log SSL记录CA证书*
@load protocols/ssl/log-hostcerts-only

Uncomment the following line to check each SSL certificate hash against the ICSI certificate notary service;
@load protocols/ssl/notary

If you have libGeoIP support built in, do some geographic detections and logging for SSH traffic.
@load protocols/ssh/geo-data

Detect hosts doing SSH bruteforce attacks.
@load protocols/ssh/detect-bruteforcing

Detect logins using “interesting” hostnames.
@load protocols/ssh/interesting-hostnames

Detect SQL injection attacks.
@load protocols/http/detect-sqli

Network File Handling

Enable MD5 and SHA1 hashing for all files.
@load frameworks/files/hash-all-files

Detect SHA1 sums in Team Cymru’s Malware Hash Registry.
@load frameworks/files/detect-MHR

Uncomment the following line to enable detection of the heartbleed attack. Enabling
*心脏滴血漏洞检测
this might impact performance a bit.
对性能有一些影响*
@load policy/protocols/ssl/heartbleed

*Uncomment the following line to enable logging of connection VLANs. Enabling
this adds two VLAN fields to the conn.log file.
连接到局域网的时候，记录这一事件到日志中，日志中会增加两个字段*
@load policy/protocols/conn/vlan-logging

*Uncomment the following line to enable logging of link-layer addresses. Enabling
this adds the link-layer address for each connection endpoint to the conn.log file.
日志记录链路层连接的地址*
@load policy/protocols/conn/mac-logging

*Uncomment the following line to enable the SMB analyzer.
以下脚本用来开启SMB分析
The analyzer is currently considered a preview and therefore not loaded by default.*

@load policy/protocols/smb