[Bro] bro alerts over email

Thu Mar 17 15:31:02 PST 2005

Hello All : 

Thanks for the clearing questions in the last email. I need some more
clarifications about email alert generations using bro. I thank you for
your time and help. 

I am writing this email in the order alert generation need to be
configured on bro (I think). 

1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file. Right now I am adding all my sensitive_URI's and ftp hot 
files into the corresponding policy files. 
export {
        const sensitive_URIs =

[ policy/http-request.bro; lines 9+ ] 

export {
        # Indexed by source & destination addresses and the id.
        const skip_hot: set[addr, addr, string] &redef;

        const hot_files =

[from policy/ftp.bro; lines 12+ ] 

So, How do I redef these variables (which are 'export { const ' declared
in the policy files in my site/policy.bro file ? 

2) In-order to send emails from bro I had to comment out the following
from notice.bro file : 

#       if ( ! mail_notification )         ----------------------- (2A)
#               return;

#       local action = notice_action_filters[n$note](n); --------- (2B)

        # Choose destination address based on action type.
#       local destination = (action == NOTICE_EMAIL) ?
#               mail_dest : mail_page_dest;
local destination = mail_dest ;

2A) I think 'if (! mail_notification)' condition is not holding true at
all. I see the following definition 

../policy/notice.bro:global mail_notification = reading_live_traffic()
&redef; 

and 

../policy/bro.bif.bro:global reading_live_traffic: function(): bool; 

I don't see reading_live_traffic function defined anywhere? Do I need to
redef reading_live_traffic() function.

If yes, should it be in the site policy file ? Would its value affect
other policy files ? (its used in conn.bro, load-level.bro and
stats.bro) 

2B)  local action = notice_action_filters[n$note](n) 

gives the following error in info.log file and bro stops :  

1111094454.266502 /usr/local/bro/policy/notice.bro, line 193
(notice_action_filters[n$note]): run-time error, no such index
1111094454.266502 /usr/local/bro/policy/notice.bro, line 196 (action):
run-time error, value used but not set

Commenting the action variable makes email work fine but I am not sure
how other things would be affected due to this. 

3) Finally declaring sensitive_URI's in (1) and commenting (2) I am
getting email notifications working on bro. As suggested 
I am declaring, for example :  

		 [$pred(n: notice_info) =
                        {
                         return n?$URL && n$URL == /^.*rootdown.pl.*$/ ;
                        },
                 $result = NOTICE_EMAIL,
                 $priority = 4],

in my site-policy file for getting email/page alert.  If I understand it
correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ? 

Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts : 

/usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
(/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
boolean operands 

which is, obviously, errornous right now.

4) I checked again and mail_notice.sh file comes as part of bro tarball
and is available in bro-09a8/scripts folder. However, after running make
install-brolite it does not get copied over to /usr/local/bro/scripts. I
thought should let you know this. 

I appriciate all the help here. 

Thanks a lot. 

Aashish Sharma 