[Bro] Basic Alerts/Email questions

Seth Hall seth at icir.org
Tue Feb 9 20:30:23 PST 2016

> On Feb 9, 2016, at 11:06 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> hook Notice::policy(n: Notice::Info) &priority=0
>        { 
>        add n$actions[Notice::ACTION_EMAIL]; 
>        } 

I don't think you want to do this.  It will result in all notices being emailed.

> It doesn't seem to do anything.  Is there a way I can check?  Is it redundant with the hook code above to send an email for any notice?

Notice::emailed_types is a pre-implemented mechanism if you only need coarse grained decisions about what to email.  You can see how it's implemented in base/notice/main.bro.  You can either easily use that or define your own Notice::policy hook to implement any other more complicated handling that you might want.

> /usr/local/bro/share/bro/policy/protocols/ftp/detect.bro
> Everything looks fine there to me....so why does FTP::Bruteforcing error but FTP::Site_Exec_Success not?

Are you loading the policy/ftp/detect-bruteforcing.bro script?  If you aren't loading the script but you are trying to access identifiers defined in the script it won't work.

> Weird:Activity – I have 25 SYN_after_partial alerts.  Not particularly useful

I wouldn't typically put any huge attention to Weird logs or notices.  They're helpful but typically not in day to day activity.  

> Scan::Port_Scan - 3 alerts.  Substantially less than are actually occurring.

Measured how?

> Aside from that I have 1 SQL injection alert from Bro.
> Meanwhile I have 100s of SQLi alerts registered in snort.

I would pay attention to that one from Bro.  It's likely higher value to you than the 100's from Snort.

> I looked in /http/detect-sqli and it appears that it's just a regex.  So the regex doesn't match 90+% of the sqli attacks seen on my network?

Bro is doing SQL injection detection based on a larger number of attacks either coming from an attacker or going to a victim.  It was originally written to find SQL injection based data extraction (and has worked phenomenally well for that at a number of large sites).  You can see individual requests that appear to be HTTP SQL injection requests in the "tags" field in the http.log.  If you grep your http.log for URI_SQLI you will see the individual requests.  

You seem to be approaching Bro from the perspective that it's a different version of Snort.  Please try to let go of thinking about network monitoring and intrusion detection with the mindset of Snort where one signature generates one notice for a sequence of bytes.  Spend a long time digging through the logs that it's generating, it's likely that you'll get a lot of pleasant surprises and you will learn a lot about your network that you didn't already know.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list