[Bro] Basic Alerts/Email questions

[Eric Hacecky]

I've been working with Bro for about a week focused on IDS/IPS functionality.

I'm starting small and took this snip of code from someone else asking how to get email alerts and put it in my local.bro

hook Notice::policy(n: Notice::Info) &priority=0
        { 
        add n$actions[Notice::ACTION_EMAIL]; 
        } 

I went through some documentation here:

https://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.bro.html

specifically the section labeled “Notice::Type” with ~40 different types listed starting with Notice::Tally.

This seems to be what is now emailed, although there are very few email notices being generated, and only from a few of the categories.  Weird::Activitiy and Scan::Port_Scan

I also saw code like this somewhere

redef Notice::emailed_types += { 
#  FTP::Bruteforcing, 
  FTP::Site_Exec_Success, 
  HTTP::SQL_Injection_Attacker, 
  HTTP::SQL_Injection_Victim, 
#  SMTP::Blocklist_Error_Message, 
#  SMTP::Blocklist_Blocked_Host, 
#  SMTP::Suspicious_Origination, 
  SSH::Password_Guessing, 
  SSH::Login_By_Password_Guesser, 
  TeamCymruMalwareHashRegistry::Match, 
  Intel::Notice,
  Intel::DOMAIN,
  Intel::CERT_HASH,
  Intel::FILE_HASH,
 };

which seems to correlate to this documentation

https://www.bro.org/sphinx/bro-noticeindex.html

So I also threw that code into my local.bro

It doesn't seem to do anything.  Is there a way I can check?  Is it redundant with the hook code above to send an email for any notice?

===========

Next question

The modules from the previous snip I have commented out from give errors, example:

[BroControl] > check 
bro scripts failed. 
error in /usr/local/bro/share/bro/site/local.bro, line 100: unknown identifier FTP::Bruteforcing, at or near "FTP::Bruteforcing"

Ok.  I try to see why FTP::Bruteforcing errors while FTP::Site_Exec_Success doesn't.

This script seems to correspond to FTP::Bruteforcing

/usr/local/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro

While this script corresponds to FTP::Site_Exec_Success

/usr/local/bro/share/bro/policy/protocols/ftp/detect.bro

Everything looks fine there to me....so why does FTP::Bruteforcing error but FTP::Site_Exec_Success not?

============

Finally, like I said my email alerts are VERY sparse.  After about a week I have the following:

Weird:Activity – I have 25 SYN_after_partial alerts.  Not particularly useful

Scan::Port_Scan - 3 alerts.  Substantially less than are actually occurring.

Aside from that I have 1 SQL injection alert from Bro.

Meanwhile I have 100s of SQLi alerts registered in snort.

I check conn.log in bro and it's seeing the sessions that snort alerts on.

I looked in /http/detect-sqli and it appears that it's just a regex.  So the regex doesn't match 90+% of the sqli attacks seen on my network?

Thanks in advance for any help,
Eric