[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))

[Seth Hall]

On Oct 26, 2011, at 2:20 PM, Robin Sommer wrote:

> Ok, I'll finish this up then. Would like to get that into the beta as
> it would be step backwards from 1.5 otherwise. Are you ok turning it
> on by default?

Sure, it seems reasonable to me.

> One more thing that bothers me a bit: by default, there are no
> alarms... Everything just goes into notice.log.  To get any mails, one
> needs to configure things appropiately, which is hard at the beginning
> because one won't have a good idea what can be generated.

Eventually (maybe before the final?) I'd like to have a page in the auto-generated docs with all of the Notice::Type values and the associated documentation so users could browse that single location and see what notices they have available for emailing, alarming, etc along with the script that needs to be loaded in order for that notice to be raised.  

> I'm sure you have thought about this: what's the reason for not using
> ACTION_ALARM as the default action, now that there aren't actually
> that many notices generated anymore?


In my mind that violates the "Bro is policy neutral" rule (or whatever I've seen in slides).  Bro generates the notices and it's a site local decision if those notices are applicable to their environment.  Making ACTION_ALARM the default would essentially be saying that all notices are applicable to their environment.  It always sort of bothered me that anything was turned into an alarm out of the box after hearing about that.  That said, I think that shipping with some notices added to the Notice::emailed_types and Notice::alarmed_type variables would in local.bro would be cool since I see local.bro as our chance to give a suggested configuration.

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/