Bro predefines and responds to the following variables:
Default: stderr, unless you @load the log analyzer;
see §
[capture_filter : string]
Specifies what packets Bro's filter should record (§
[direct_login_prompts : set[string]]
Strings that when seen in a login dialog indicate that
the user will be directly logged in after entering their username,
without requiring a password (§
[discarder_maxlen : int]
The maximum amount of data that Bro should pass to a TCP or UDP
discarder (§
Default: 128 bytes.
[done_with_network : bool]
Set to true when Bro is done reading from the network (or from
the save files being played back, per §
Default: initially set to false.
[interfaces : string] A blank-separated list of network interfaces from which Bro should read network traffic. Bro merges packets from the interfaces according to their timestamps. Deficiency: All interfaces must have the same link layer type.
If empty, then Bro does not read any network traffic, unless one or more interfaces are specified using the -i flag.
Note: interfaces has an &add_func that allows you to add
interfaces to the list simply using a += initialization
(§
Default: empty.
[login_failure_msgs : set[string]]
Strings that when seen in a login dialog indicate that
a user's attempt to authenticate failed
(§
[login_non_failure_msgs : set[string]]
Exceptions to login_failure_msgs (§
[login_prompts : set[string]]
Strings that when seen in a login dialog indicate a
prompt for a username (§
[login_success_msgs : set[string]]
Strings that when seen in a login dialog indicate that
the user successfully authenticated (§
[login_timeouts : set[string]]
Strings that when seen in a login dialog indicate that
the login server timed out the user's attempt to authenticate
(§
[max_timer_expires : count] Sets an upper limit on how many pending timers Bro will expire per newly arriving packet. If set to 0, then Bro expires all pending timers whose time has come or past. This variable trades off timer accuracy and memory requirements (because a number of Bro's internal timers relate to expiring state) with potentially bursty load spikes due to a lot of timers expiring at the same time, which can trigger the watchdog, if active.
[restrict_filter : string]
Restricts what packets Bro's filter should record (§
[skip_authentication : set[string]]
Strings that when seen in a login dialog indicate that
the analyzer should skip attempting to follow the authentication dialog
(§