[Bro] Question from a beginner

Seth Hall seth at icir.org
Fri Apr 6 18:29:21 PDT 2012


On Apr 2, 2012, at 11:06 PM, John Ngo wrote:

> Here is what I'm trying to do with this setup for now: Have it detect and send email alerts on any downloads for executable/suspicious files. I remember one of our old boxes uses a script called "http-ext-identified-files.bro" for this purpose 

Yep, that same functionality is built into Bro.  My -ext scripts are no longer relevant with 2.0 since they have essentially become 2.0. :)

We have a shorthand method for creating a notice policy (very similar to 1.5's notice policy and documented [1]) and the new notice with the same functionality is HTTP::Incorrect_File_Type.  I've included a few extra notices that you might want to be notified about as well.

redef Notice::emailed_types += {
        HTTP::Incorrect_File_Type,
        HTTP::SQL_Injection_Victim,
        SSH::Interesting_Hostname_Login,
        HTTP::Malware_Hash_Registry_Match,
};

1. http://www.bro-ids.org/documentation/notice.html#processing-notices

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list