[Bro] ACTION_ALARM and ACTION_EMAIL

Azoff, Justin S jazoff at illinois.edu
Wed Jan 6 07:50:47 PST 2016 

I'm not sure about #2, but for 1 and 3 there is an easy way to do this with the default configuration.  The notice framework has this as the notice policy:

hook Notice::policy(n: Notice::Info) &priority=10
    {
    if ( n$note in Notice::ignored_types )
        break;

    if ( n$note in Notice::not_suppressed_types )
        n$suppress_for=0secs;
    if ( n$note in Notice::alarmed_types )
        add n$actions[ACTION_ALARM];
    if ( n$note in Notice::emailed_types )
        add n$actions[ACTION_EMAIL];

    if ( n$note in Notice::type_suppression_intervals )
        n$suppress_for=Notice::type_suppression_intervals[n$note];

    # Logging is a default action.  It can be removed in a later hook if desired.
    add n$actions[ACTION_LOG];
    }

Those tables are all setup to make it easy to toggle actions:

    ## Ignored notice types.
    const ignored_types: set[Notice::Type] = {} &redef;
    ## Emailed notice types.
    const emailed_types: set[Notice::Type] = {} &redef;
    ## Alarmed notice types.
    const alarmed_types: set[Notice::Type] = {} &redef;
    ## Types that should be suppressed for the default suppression interval.
    const not_suppressed_types: set[Notice::Type] = {} &redef;

So you simply need something like this in your local.bro:

redef Notice::emailed_types += {
    HTTP::SQL_Injection_Attacker,
    HTTP::SQL_Injection_Victim,
}

If you do need to do anything more complicated, you can use your own Notice::policy and add whatever logic you want.

To not get multiple emails for the same notice you need to ensure that the notice has the $identifier set that uniquely identifies the notice.  This is minimally something like cat(id$orig_h).  If you look at any of the scripts in policy/ you can see how they do this.



-- 
- Justin Azoff

> On Jan 6, 2016, at 10:33 AM, Tim Desrochers <tgdesrochers at gmail.com> wrote:
> 
> I have my sensor set up to email me notices with:
> 
> hook Notice::policy(n: Notice::Info)
>             {
>             add n$actions[Notice::ACTION_EMAIL];
>             }
> 
> If I understand correct this will email me upon any entry in the notice.log.  Is there a way to:
> 1. only get specific items emailed upon entry
> 2. get the rest of notice.log entries emailed with ACTON_ALARM in the alarm-mail.txt and have that ignore anything that was previously emailed.
> 3. Only get one notice email per alert?
> 
> What I am doing is in the /opt/bro/share/bro/intel folder creating different folders with IOS's I want the intel framework to look over and I am using meta.do_notice to send the items of importance to the notice log.
> 
> Excuse my ignorance with this subject I am just now trying to get things emailed out efficiently to reduce some noise and redundancy my analysts are seeing.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list