[Bro] Basic Alerts/Email questions
Eric Hacecky
hacecky at jlab.org
Tue Feb 9 08:06:14 PST 2016
I've been working with Bro for about a week focused on IDS/IPS functionality.
I'm starting small and took this snip of code from someone else asking how to get email alerts and put it in my local.bro
hook Notice::policy(n: Notice::Info) &priority=0
{
add n$actions[Notice::ACTION_EMAIL];
}
I went through some documentation here:
https://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.bro.html
specifically the section labeled “Notice::Type” with ~40 different types listed starting with Notice::Tally.
This seems to be what is now emailed, although there are very few email notices being generated, and only from a few of the categories. Weird::Activitiy and Scan::Port_Scan
I also saw code like this somewhere
redef Notice::emailed_types += {
# FTP::Bruteforcing,
FTP::Site_Exec_Success,
HTTP::SQL_Injection_Attacker,
HTTP::SQL_Injection_Victim,
# SMTP::Blocklist_Error_Message,
# SMTP::Blocklist_Blocked_Host,
# SMTP::Suspicious_Origination,
SSH::Password_Guessing,
SSH::Login_By_Password_Guesser,
TeamCymruMalwareHashRegistry::Match,
Intel::Notice,
Intel::DOMAIN,
Intel::CERT_HASH,
Intel::FILE_HASH,
};
which seems to correlate to this documentation
https://www.bro.org/sphinx/bro-noticeindex.html
So I also threw that code into my local.bro
It doesn't seem to do anything. Is there a way I can check? Is it redundant with the hook code above to send an email for any notice?
===========
Next question
The modules from the previous snip I have commented out from give errors, example:
[BroControl] > check
bro scripts failed.
error in /usr/local/bro/share/bro/site/local.bro, line 100: unknown identifier FTP::Bruteforcing, at or near "FTP::Bruteforcing"
Ok. I try to see why FTP::Bruteforcing errors while FTP::Site_Exec_Success doesn't.
This script seems to correspond to FTP::Bruteforcing
/usr/local/bro/share/bro/policy/protocols/ftp/detect-bruteforcing.bro
While this script corresponds to FTP::Site_Exec_Success
/usr/local/bro/share/bro/policy/protocols/ftp/detect.bro
Everything looks fine there to me....so why does FTP::Bruteforcing error but FTP::Site_Exec_Success not?
============
Finally, like I said my email alerts are VERY sparse. After about a week I have the following:
Weird:Activity – I have 25 SYN_after_partial alerts. Not particularly useful
Scan::Port_Scan - 3 alerts. Substantially less than are actually occurring.
Aside from that I have 1 SQL injection alert from Bro.
Meanwhile I have 100s of SQLi alerts registered in snort.
I check conn.log in bro and it's seeing the sessions that snort alerts on.
I looked in /http/detect-sqli and it appears that it's just a regex. So the regex doesn't match 90+% of the sqli attacks seen on my network?
Thanks in advance for any help,
Eric
More information about the Bro
mailing list