[Bro] Question from a beginner
Seth Hall
seth at icir.org
Fri Apr 6 18:29:21 PDT 2012
On Apr 2, 2012, at 11:06 PM, John Ngo wrote:
> Here is what I'm trying to do with this setup for now: Have it detect and send email alerts on any downloads for executable/suspicious files. I remember one of our old boxes uses a script called "http-ext-identified-files.bro" for this purpose
Yep, that same functionality is built into Bro. My -ext scripts are no longer relevant with 2.0 since they have essentially become 2.0. :)
We have a shorthand method for creating a notice policy (very similar to 1.5's notice policy and documented [1]) and the new notice with the same functionality is HTTP::Incorrect_File_Type. I've included a few extra notices that you might want to be notified about as well.
redef Notice::emailed_types += {
HTTP::Incorrect_File_Type,
HTTP::SQL_Injection_Victim,
SSH::Interesting_Hostname_Login,
HTTP::Malware_Hash_Registry_Match,
};
1. http://www.bro-ids.org/documentation/notice.html#processing-notices
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list