According to some literature, "bro can make
intrusion announcement in
real time", but when I try to run bro, I don't find how to realize this
function, I only can create some logfiles.
The "log" statement logs a string via syslog().
The system() function invokes an arbitrary shell command.
And, if it do this as said,
what is the form of alert?
Just a string. Recently, Umesh Shankar has added a framework of "attributes",
i.e., additional information associated with values, and the main impetus
behind this has been to add structure to Bro alerts, since that's really
needed so they can be better filtered/post-processed/etc. It will be in
the next major release of Bro, which I'm aiming to have out in August.