[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))
Seth Hall
seth at icir.org
Wed Oct 26 14:02:30 PDT 2011
On Oct 26, 2011, at 4:41 PM, Robin Sommer wrote:
> That argument usually applies to the event engine. For scripts,
> considering policy is hard to avoid (and as you say, by default, Bro
> 1.x did turn everything into an alarm).
I don't see any reason to not apply it all the way up to the scripts. :)
I think it just comes down to the correct mix of documentation and shortcuts.
> Or we could provide an option "default_alarm" or so that enable
> ACTION_ALARM as the default, and then put that option into local.bro
> for everybody to tune. The question would then be what to default to.
> I'm leaning towards alarming by default, in the spirit of showing off
> what Bro can do (and showing that *is* doing something).
Yuck, I *really* don't want to have that option. We could actually just implement that as an item in Notice::policy anyway. It's a big mental change to adjust initially to multiple actions being applied to a notice. You think that people would want to start receiving all of their notices in email prior to getting a chance to look through the notices to see what they want?
Personally, I can see adding the following to local.bro to cover the example you are trying to accomplish...
redef Notice::alarmed_types += {
HTTP::SQL_Injection_Attack_Against,
HTTP::SQL_Injection_Attacker,
HTTP::Malware_Hash_Registry_Match,
HTTP::Incorrect_File_Type,
FTP::Site_Exec_Success,
SSH::Interesting_Hostname_Login,
SSH::Password_Guessing,
SSH::Watched_Country_Login,
Software::Vulnerable_Version,
};
Well crap, I guess that actually includes many of the notices that we're shipping right now (there are some higher volume ones filtered out still). Maybe this?
# Uncomment the following line to begin receiving hourly emails containing all of your notices.
#redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list