[Bro] bro email, cleartext passwords

Vern Paxson vern at icir.org
Sun Mar 6 00:53:01 PST 2005 

> Also, It would be nice if we can capture clear text ftp passwords.

You can get these using an "account_tried" event handler.  See its invocation
in ftp.bro.  (In fact, come to think of it passwords.bro should be written
in terms of account_tried.)

> 1)  [ From policy/notice.bro ]  
> global notice_policy: set[notice_policy_item] = {
>         [$pred(n: notice_info) = { return T; },
> #        $result = NOTICE_ALARM_ALWAYS,
>          $result = NOTICE_EMAIL,
>          $priority = 0],
> } &redef;
> 
> How do I set up various degree's of notifications. For some things I
> would like to be paged, others an email and rest just logged. 
> 
> $result seems to let me setup only one notice action option here. 

The key about notice_policy is that it's a *set* of notice_policy_item's,
so you can specify a bunch of them.  So for example, here's a subset of
the notice_policy modifications we use operationally at ICSI:

	redef notice_policy += {

		# Ignore sensitive URLs that are out of the FTP directory.
		# Note that some weird clients generate tons of global/'s
		# in their fetches, too.
		[$pred(n: notice_info) = {
			return n?$URL && n$URL == /^\/?ftp\/(global\/)*etc.*/; },
		 $result = NOTICE_FILE,
		 $priority = 1],


		# wyvern generates a lot of these as it tries to look up remote
		# hosts for processing mail.
		[$pred(n: notice_info) =
			{ return n$note == DNS::DNS_PTR_Scan && n$src in wyvern.icir.org; },
		 $result = NOTICE_IGNORE,
		 $priority = 1],


		# Connections to 2766/tcp ("Solaris listen service") appear to
		# always be actually due to P2P apps.
		[$pred(n: notice_info) =
			{
			return n$note == SensitiveConnection &&
				n$msg == /Solaris listen service/;
			},
		 $result = NOTICE_FILE,
		 $priority = 1],
	};


> I dont see mail_notice.sh in scripts folder so right now I am not very
> sure how bro is going to handle sending email notification and what this
> script is intending to do. 

I double-checked and it's part of the distribution:

	bro-0.9a8/scripts/mail_notice.sh

> It is going to parse logs periodically and grep for NOTICE_EMAIL and
> take action or has some other mechanism is intended  ? 

It's different.   The NOTICE() function will invoke email_notice() for
NOTICE_EMAIL or NOTICE_PAGE, which in turn will execute the script.

		Vern

More information about the Bro mailing list