# Source file config for running bro
# host only format
BRO_HOSTNAME=`hostname | awk -F. ' { print } '`
# FQDN format
# HOSTNAME=`hostname`
# Directory containing Bro binaries
BRO_BIN_DIR="/usr/bin"
# Filename of the Bro start policy
# START_POLICY="default.bro"
BRO_START_POLICY="localhost.bro"
# Directory containing Bro logs
BROLOGS="/var/log/bro"
export BROLOGS
# Log archive directory
BRO_LOG_ARCHIVE="/var/log/bro/archive"
# Directory containing Bro signature files
BRO_SIG_DIR="/usr/share/bro/sigs"
# Bro policy paths
# Location of site specific policy and configurations
BROSITE="/var/lib/bro/site"
# Location of host specific policy and configurations
BROHOST="/var/lib/bro/host"
BROPATH="${BROSITE}:${BROHOST}:/usr/share/bro/site:/usr/share/bro"
export BROPATH
# A prefix to use when looking for local policy files to load.
# BRO_PREFIX="local"
# Location of the Bro executable
BRO="${BRO_BIN_DIR}/bro"
# Base command line options.
BRO_ADD_OPTS=" -W"
# Turn on Bro's Watchdog feature
BRO_OPTS="${BRO_ADD_OPTS}"
# Interface name to listen on. The default is to use the busiest one found.
BRO_CAPTURE_INTERFACE="eth0"
# Multiple interface should be specified as a space delimited list.
# Examples:
# CAPTURE_INTERFACE="sk0 sk1 sk5"
# CAPTURE_INTERFACE="eth0 eth3"
# CAPTURE_INTERFACE="eth0"
# If set to YES and there are any signature files ending with .bro in $SIG_DIR
# then they will be started with bro. Set to NO to disable signatures
# Set to YES to enable bro to run with 'signature matching' on (YES/NO)
BRO_USE_SIGNATURES=YES
# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
BRO_CREATE_TRACE_FILE=NO
# How long to wait during checkpointing after startin a new Bro process and
# stopping the old one. This value is in seconds
BRO_CHECKPOINT_OVERLAP_TIME=20
# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
BRO_REPORT_START_TIME=0010
# How often (in hours) to generate an activity report
BRO_REPORT_INTERVAL=24
# This is the how often to rotate the logs (in hours)
BRO_LOG_ROTATE_INTERVAL=24
# This is the how often to restart bro (in hours)
BRO_CHECKPOINT_INTERVAL=24
# The maximum time allowed for a Bro process to cleanup and exit
# This value is in seconds
BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours
# Use this to enable the init script to autorestart Bro in the event of an
# unexpected shutdown. The value should be YES or NO
BRO_ENABLE_AUTORESTART="YES"
# A value less than 1 means there will be no limit to the number of restarts
# Maximum times to try to auto-restart Bro before giving up.
BRO_MAX_RESTART_ATTEMPTS=-1
# Location of the run-time variable directory. This is normally /var/run/bro
# and contains the pidfile and other temporal data.
BRO_RUNTIME_DIR="/var/run/bro"
# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="root@localhost"
# Email address to send from
BRO_EMAIL_FROM="bro@localhost"
# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="NO"
# Email address for remote reports to be mailed to
BRO_EMAIL_REMOTE="foo@example.bar"
# User id to install and run Bro under
BRO_USER_ID="bro"
# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
BRO_SITE_NAME=""
# Do you want to encrypt email reports (YES/NO)
BRO_ENCRYPT_EMAIL="NO"
# Location of GPG binary or encrypting email
BRO_GPG_BIN="/usr/bin/gpg"
# Default BPF buffer
BRO_BPF_BUFSIZE=4194304
# Do BPF bonding
BRO_BPFBOND_ENABLE="NO"
# Interfaces to bond
BRO_BPFBOND_FLAGS="em0 em1"
# diskspace management settings
# Should I manage diskspace
BRO_DISKSPACE_ENABLE="YES"
# percent full to worry about
BRO_DISKSPACE_PCT=90
# account watching disk space
BRO_DISKSPACE_WATCHER="root"
# days before deleting old logs
BRO_DAYS_2_DELETION=45
# days before compressing logs
BRO_DAYS_2_COMPRESSION=20
# Bulk data capture settings
# Buld data directory
BRO_BULK_DIR="${BROLOGS}/bulk-trace"
# Capture filter for bulk data
BRO_BULK_CAPTURE_FILTER=""
# days before deleting bulk data
BRO_BULK_DAYS_2_DELETION=4
# days before compressing bulk data
BRO_BULK_DAYS_2_COMPRESSION=2
# location of sorted log files, needed by Brooery
BROOERY_LOGS="${BROLOGS}/sorted-logs"