[Bro] ACTION_ALARM and ACTION_EMAIL

Tim Desrochers tgdesrochers at gmail.com
Wed Jan 6 08:00:51 PST 2016 

Thanks I'll give it a shot
On Jan 6, 2016 10:50 AM, "Azoff, Justin S" <jazoff at illinois.edu> wrote:

> I'm not sure about #2, but for 1 and 3 there is an easy way to do this
> with the default configuration.  The notice framework has this as the
> notice policy:
>
> hook Notice::policy(n: Notice::Info) &priority=10
>     {
>     if ( n$note in Notice::ignored_types )
>         break;
>
>     if ( n$note in Notice::not_suppressed_types )
>         n$suppress_for=0secs;
>     if ( n$note in Notice::alarmed_types )
>         add n$actions[ACTION_ALARM];
>     if ( n$note in Notice::emailed_types )
>         add n$actions[ACTION_EMAIL];
>
>     if ( n$note in Notice::type_suppression_intervals )
>         n$suppress_for=Notice::type_suppression_intervals[n$note];
>
>     # Logging is a default action.  It can be removed in a later hook if
> desired.
>     add n$actions[ACTION_LOG];
>     }
>
> Those tables are all setup to make it easy to toggle actions:
>
>     ## Ignored notice types.
>     const ignored_types: set[Notice::Type] = {} &redef;
>     ## Emailed notice types.
>     const emailed_types: set[Notice::Type] = {} &redef;
>     ## Alarmed notice types.
>     const alarmed_types: set[Notice::Type] = {} &redef;
>     ## Types that should be suppressed for the default suppression
> interval.
>     const not_suppressed_types: set[Notice::Type] = {} &redef;
>
> So you simply need something like this in your local.bro:
>
> redef Notice::emailed_types += {
>     HTTP::SQL_Injection_Attacker,
>     HTTP::SQL_Injection_Victim,
> }
>
> If you do need to do anything more complicated, you can use your own
> Notice::policy and add whatever logic you want.
>
> To not get multiple emails for the same notice you need to ensure that the
> notice has the $identifier set that uniquely identifies the notice.  This
> is minimally something like cat(id$orig_h).  If you look at any of the
> scripts in policy/ you can see how they do this.
>
>
>
> --
> - Justin Azoff
>
> > On Jan 6, 2016, at 10:33 AM, Tim Desrochers <tgdesrochers at gmail.com>
> wrote:
> >
> > I have my sensor set up to email me notices with:
> >
> > hook Notice::policy(n: Notice::Info)
> >             {
> >             add n$actions[Notice::ACTION_EMAIL];
> >             }
> >
> > If I understand correct this will email me upon any entry in the
> notice.log.  Is there a way to:
> > 1. only get specific items emailed upon entry
> > 2. get the rest of notice.log entries emailed with ACTON_ALARM in the
> alarm-mail.txt and have that ignore anything that was previously emailed.
> > 3. Only get one notice email per alert?
> >
> > What I am doing is in the /opt/bro/share/bro/intel folder creating
> different folders with IOS's I want the intel framework to look over and I
> am using meta.do_notice to send the items of importance to the notice log.
> >
> > Excuse my ignorance with this subject I am just now trying to get things
> emailed out efficiently to reduce some noise and redundancy my analysts are
> seeing.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/a43eece2/attachment.html

More information about the Bro mailing list