[Bro] bro email, cleartext passwords

Aashish Sharma aashish at uiuc.edu
Fri Feb 25 16:18:20 PST 2005


Thanks a lot Vern. Getting passwords.bro and rsh.bro is very helpful. I
have activated them to enforce our site policy. 

Also, It would be nice if we can capture clear text ftp passwords.
Recently we have seen thats' how most of warez upload/download is done. 
In some of the root exploit attempts in recent past miscreants had their
own ftp server with stockpile of exploits from where they ftp'ed
selected ones to our machine using their login/passwd. 

> With the latest release there are two new notice actions, NOTICE_EMAIL and
> NOTICE_PAGE, which you can use for this.
> 

1)  [ From policy/notice.bro ]  
global notice_policy: set[notice_policy_item] = {
        [$pred(n: notice_info) = { return T; },
#        $result = NOTICE_ALARM_ALWAYS,
         $result = NOTICE_EMAIL,
         $priority = 0],
} &redef;

How do I set up various degree's of notifications. For some things I
would like to be paged, others an email and rest just logged. 

$result seems to let me setup only one notice action option here. 


> [ I do see policy/notice.bro has some email parameters settings but
does
> > not seems to be working ] 
> 
> Can you provide an example that demonstrates it's not working?
> 

However If I understand it correctly, email sending mechanism is defined
here in notice.bro : 

# Variables the control email notification.
global mail_notification = reading_live_traffic() &redef;
global mail_script = "mail_notice.sh" &redef;
global mail_dest = "bro" &redef;
global mail_page_dest = "bro-page" &redef;

I dont see mail_notice.sh in scripts folder so right now I am not very
sure how bro is going to handle sending email notification and what this
script is intending to do. 

It is going to parse logs periodically and grep for NOTICE_EMAIL and
take action or has some other mechanism is intended  ? 


Thanks, 
Aashish 



On Fri, 2005-02-25 at 14:59, Vern Paxson wrote:
> > 1) We used to run wots/swatch on bro logs periodically which checks for
> > alert patterns and send an us an email for that particular bro alert





More information about the Bro mailing list