[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))

Seth Hall seth at icir.org
Wed Oct 26 14:02:30 PDT 2011 

On Oct 26, 2011, at 4:41 PM, Robin Sommer wrote:

> That argument usually applies to the event engine. For scripts,
> considering policy is hard to avoid (and as you say, by default, Bro
> 1.x did turn everything into an alarm). 

I don't see any reason to not apply it all the way up to the scripts. :)  

I think it just comes down to the correct mix of documentation and shortcuts.

> Or we could provide an option "default_alarm" or so that enable
> ACTION_ALARM as the default, and then put that option into local.bro
> for everybody to tune. The question would then be what to default to.
> I'm leaning towards alarming by default, in the spirit of showing off
> what Bro can do (and showing that *is* doing something).


Yuck, I *really* don't want to have that option.  We could actually just implement that as an item in Notice::policy anyway.  It's a big mental change to adjust initially to multiple actions being applied to a notice.  You think that people would want to start receiving all of their notices in email prior to getting a chance to look through the notices to see what they want?

Personally, I can see adding the following to local.bro to cover the example you are trying to accomplish...

redef Notice::alarmed_types += { 
	HTTP::SQL_Injection_Attack_Against,
	HTTP::SQL_Injection_Attacker,
	HTTP::Malware_Hash_Registry_Match,
	HTTP::Incorrect_File_Type,
	FTP::Site_Exec_Success,
	SSH::Interesting_Hostname_Login,
	SSH::Password_Guessing,
	SSH::Watched_Country_Login,
	Software::Vulnerable_Version,
};

Well crap, I guess that actually includes many of the notices that we're shipping right now (there are some higher volume ones filtered out still).  Maybe this?

# Uncomment the following line to begin receiving hourly emails containing all of your notices.
#redef Notice::policy += { [$action = Notice::ACTION_ALARM, $priority = 0] };

 .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/

More information about the bro-dev mailing list