[Bro] bro intel notice log

Alex Kefallonitis al.kefallonitis at gmail.com
Tue Mar 28 02:04:36 PDT 2017


Update i also tried loading critical stack manually on local.bro

hook Notice::policy(n: Notice::Info)
            {
            add n$actions[Notice::ACTION_EMAIL];
            }

@load base/frameworks/intel
@load frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
        "/opt/critical-stack/frameworks/intel/master-public.bro.dat"
};


I get no errors i have intel logs but no notice and emails like do_notice
doesn't work...

2017-03-28 10:24 GMT+03:00 Alex Kefallonitis <al.kefallonitis at gmail.com>:

> I want bro to send email notification on all notices...but i can't get
> intel to notice log i can't figure out what i am doing wrong
>
> 2017-03-27 22:27 GMT+03:00 Alex Kefallonitis <al.kefallonitis at gmail.com>:
>
>> Critical stack module is up and running and generates intel logs. I want
>> bro to send email when an indicator is seen . Although i receive mail from
>> bro for notices and i added do_notice.bro to local.bro i never seen a
>> notice intel email or log. Any advice?
>>
>> I also try adding these to local.bro
>>
>> redef Notice::emailed_types += {
>>  Intel::Notice,
>>  Intel::DOMAIN,
>>  TeamCymruMalwareHashRegistry::Match,
>>  Software::Vulnerable_Version,
>>  Traceroute::Detected,
>>  Scan::Address_Scan,
>>  Scan::Port_Scan,
>>  Conn::Content_Gap,
>>  DNS::External_Name,
>>  FTP::Bruteforcing,
>>  FTP::Site_Exec_Success,
>>  HTTP::SQL_Injection_Attacker,
>>  HTTP::SQL_Injection_Victim,
>>  SMTP::Blocklist_Error_Message,
>>  SMTP::Blocklist_Blocked_Host,
>>  SMTP::Suspicious_Origination,
>>  SSH::Password_Guessing,
>>  SSH::Login_By_Password_Guesser,
>>  SSH::Watched_Country_Login,
>>  SSH::Interesting_Hostname_Login,
>>  SSL::Certificate_Expired,
>>  SSL::Certificate_Expires_Soon,
>>  SSL::Certificate_Not_Valid_Yet,
>>  Heartbleed::SSL_Heartbeat_Attack,
>>  Heartbleed::SSL_Heartbeat_Attack_Success,
>>  Heartbleed::SSL_Heartbeat_Odd_Length,
>>  Heartbleed::SSL_Heartbeat_Many_Requests,
>> };
>>
>> hook Notice::policy(n: Notice::Info)
>>             {
>>             add n$actions[Notice::ACTION_EMAIL];
>>             }
>>
>>
>> but nothing changed
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170328/db028e2e/attachment.html 


More information about the Bro mailing list