[Bro] bro email, cleartext passwords and snort signature

Vern Paxson vern at icir.org
Fri Feb 25 12:59:51 PST 2005


> 1) We used to run wots/swatch on bro logs periodically which checks for
> alert patterns and send an us an email for that particular bro alert
> with content being the alert line from bro logs. 
> 
> Is there a better way to do this with bro ? 

With the latest release there are two new notice actions, NOTICE_EMAIL and
NOTICE_PAGE, which you can use for this.

> [ I do see policy/notice.bro has some email parameters settings but does
> not seems to be working ] 

Can you provide an example that demonstrates it's not working?

> 2) Our site has no cleartext password policy. I do not see passwords.bro
> policy [ as suggested by the documentation ] with the default
> installation policy files. It there such a policy available ? 

Oops, it got left out inadvertently, as did rsh.bro.  I'll send them
along in the next two messages so folks can play with them prior to
the next release.

> 3) The latest version seems to be failing when I am putting snort
> signatures on machine.site.bro in site/ folder.

I see that you've since figured this out.  A significant change with
the 0.9a8 release was that signatures are now turned off by default.

		Vern



More information about the Bro mailing list