[Bro] Basic Alerts/Email questions

Eric Hacecky hacecky at jlab.org
Tue Feb 9 08:06:14 PST 2016

I've been working with Bro for about a week focused on IDS/IPS functionality.

I'm starting small and took this snip of code from someone else asking how to get email alerts and put it in my local.bro

hook Notice::policy(n: Notice::Info) &priority=0
        add n$actions[Notice::ACTION_EMAIL]; 

I went through some documentation here:


specifically the section labeled “Notice::Type” with ~40 different types listed starting with Notice::Tally.

This seems to be what is now emailed, although there are very few email notices being generated, and only from a few of the categories.  Weird::Activitiy and Scan::Port_Scan

I also saw code like this somewhere

redef Notice::emailed_types += { 
#  FTP::Bruteforcing, 
#  SMTP::Blocklist_Error_Message, 
#  SMTP::Blocklist_Blocked_Host, 
#  SMTP::Suspicious_Origination, 

which seems to correlate to this documentation


So I also threw that code into my local.bro

It doesn't seem to do anything.  Is there a way I can check?  Is it redundant with the hook code above to send an email for any notice?


Next question

The modules from the previous snip I have commented out from give errors, example:

[BroControl] > check 
bro scripts failed. 
error in /usr/local/bro/share/bro/site/local.bro, line 100: unknown identifier FTP::Bruteforcing, at or near "FTP::Bruteforcing"

Ok.  I try to see why FTP::Bruteforcing errors while FTP::Site_Exec_Success doesn't.

This script seems to correspond to FTP::Bruteforcing


While this script corresponds to FTP::Site_Exec_Success


Everything looks fine there to me....so why does FTP::Bruteforcing error but FTP::Site_Exec_Success not?


Finally, like I said my email alerts are VERY sparse.  After about a week I have the following:

Weird:Activity – I have 25 SYN_after_partial alerts.  Not particularly useful

Scan::Port_Scan - 3 alerts.  Substantially less than are actually occurring.

Aside from that I have 1 SQL injection alert from Bro.

Meanwhile I have 100s of SQLi alerts registered in snort.

I check conn.log in bro and it's seeing the sessions that snort alerts on.

I looked in /http/detect-sqli and it appears that it's just a regex.  So the regex doesn't match 90+% of the sqli attacks seen on my network?

Thanks in advance for any help,

More information about the Bro mailing list