[Bro] Question from a beginner

Seth Hall seth at icir.org
Fri Apr 6 18:29:21 PDT 2012

On Apr 2, 2012, at 11:06 PM, John Ngo wrote:

> Here is what I'm trying to do with this setup for now: Have it detect and send email alerts on any downloads for executable/suspicious files. I remember one of our old boxes uses a script called "http-ext-identified-files.bro" for this purpose 

Yep, that same functionality is built into Bro.  My -ext scripts are no longer relevant with 2.0 since they have essentially become 2.0. :)

We have a shorthand method for creating a notice policy (very similar to 1.5's notice policy and documented [1]) and the new notice with the same functionality is HTTP::Incorrect_File_Type.  I've included a few extra notices that you might want to be notified about as well.

redef Notice::emailed_types += {

1. http://www.bro-ids.org/documentation/notice.html#processing-notices


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list