[Bro] Intel hits not being emailed
Harry Hoffman
hhoffman at ip-solutions.net
Mon Nov 10 16:49:56 PST 2014
Thanks, Seth.
So, I think ideally I'd like to be able to alert not solely upon
connection but upon a conversation as determined either at the app level
or a combination of other flow criteria that might indicate more then
just a scan is happening.
In a large, open, network getting hits from scans is less useful then it
might be in other environments.
I'll have a read over the tutorial and see where that gets me... Likely
more questions to follow ;-)
Cheers,
Harry
On 11/10/14 9:40 AM, Seth Hall wrote:
>
>> On Nov 8, 2014, at 8:55 PM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>>
>> I see hits in my intel.log files but I don't get emails about this. Am I
>> missing something? I'd taken this directly from the bro blog.
>
> By default, notices are not generated for intel hits. There is a script that we ship with Bro that gives you the ability to turn intel hits into notices based on a field in the intel data (more information can be found here: https://www.bro.org/bro-exchange-2013/exercises/intel.html). If you have a solid idea of how you'd like things to work best for you, please let me know. There are many ways we could make this work. ;)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
More information about the Bro
mailing list