[Bro] bro email, cleartext passwords and snort signature
vern at icir.org
Fri Feb 25 12:59:51 PST 2005
> 1) We used to run wots/swatch on bro logs periodically which checks for
> alert patterns and send an us an email for that particular bro alert
> with content being the alert line from bro logs.
> Is there a better way to do this with bro ?
With the latest release there are two new notice actions, NOTICE_EMAIL and
NOTICE_PAGE, which you can use for this.
> [ I do see policy/notice.bro has some email parameters settings but does
> not seems to be working ]
Can you provide an example that demonstrates it's not working?
> 2) Our site has no cleartext password policy. I do not see passwords.bro
> policy [ as suggested by the documentation ] with the default
> installation policy files. It there such a policy available ?
Oops, it got left out inadvertently, as did rsh.bro. I'll send them
along in the next two messages so folks can play with them prior to
the next release.
> 3) The latest version seems to be failing when I am putting snort
> signatures on machine.site.bro in site/ folder.
I see that you've since figured this out. A significant change with
the 0.9a8 release was that signatures are now turned off by default.
More information about the Bro