[Bro] [bro] Scanning IP's

Tim Desrochers tgdesrochers at gmail.com
Fri Mar 18 03:25:23 PDT 2016 

Sorry to beat a dead horse here but I am having a few issues with setting
the alert_email_types.

I set the following in my local.bro:
redef Notice::emailed_types += {
  Weird::Activity,
  Signatures::Sensitive_Signature,
  Signatures::Multiple_Signatures,
  Signatures::Multiple_Sig_Responders,
  Signatures::Count_Signature,
  Intel::Notice,
  TeamCymruMalwareHashRegistry::Match,
  Traceroute::Detected,
  FTP::Bruteforcing,
  FTP::Site_Exec_Success,
  SMTP::Blocklist_Error_Message,
  SMTP::Blocklist_Blocked_Host,
  SMTP::Suspicious_Origination,
  SSH::Login_By_Password_Guesser,
  SSH::Interesting_Hostname_Login,
};

Now here I would expect to only get emails from the notice framework for
the defined types.  But in actuality I get email from other things as well
such as SQL_Injection, Weird_Activity, etc.  I want the notice framework to
log all these action but I don't want emails sent to me for them.

I am using the emailed types to send emails to a alert dashboard for
analysts to looka t.  I only want things to go there that require immediate
action by the analyst, all other notices I want logged and they can view
them when they do their hourly checks of the net.

Did I configure the email_types incorrectly.  The end of my local.bro files
contains the following email types modifications I have made:

redef Notice::emailed_types += {
  Weird::Activity,
  Signatures::Sensitive_Signature,
  Signatures::Multiple_Signatures,
  Signatures::Multiple_Sig_Responders,
  Signatures::Count_Signature,
  Intel::Notice,
  TeamCymruMalwareHashRegistry::Match,
  Traceroute::Detected,
  FTP::Bruteforcing,
  FTP::Site_Exec_Success,
  SMTP::Blocklist_Error_Message,
  SMTP::Blocklist_Blocked_Host,
  SMTP::Suspicious_Origination,
  SSH::Login_By_Password_Guesser,
  SSH::Interesting_Hostname_Login,
};

# Only receive Scan Notices if they are from local network.
const local_emailed_types: set[Notice::Type] = {
  SSH::Password_Guessing,
  } &redef;

hook Notice::policy(n: Notice::Info)
    {
    if (n$note in local_emailed_types && Site::is_local_addr(n$src))
        add n$actions[Notice::ACTION_EMAIL];
    }


Any help would be appreciated.

Thanks


On Sun, Feb 14, 2016 at 8:42 AM, Tim Desrochers <tgdesrochers at gmail.com>
wrote:

> Followup question:
>
> If I set this will I still get the other notices emailed to me such as
> items from the intel framework that I have set meta.do_notice and
> meta.if_in.  Or will I have to make another notice hook to still allow for
> those to send emails when observed.
>
> Obviously I have some bro scripting classes to attend, but in the
> meanwhile I am just trying to hack this together.
>
> Tim
>
> On Sun, Feb 14, 2016 at 7:35 AM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>> The thing to understand is that the ignored_types and emailed_types are
>> just tables defined to make tweaking the base notice policy easier.
>>
>> That default notice policy is:
>>
>> hook Notice::policy(n: Notice::Info) &priority=10
>>         {
>>         if ( n$note in Notice::ignored_types )
>>                 break;
>>
>>         if ( n$note in Notice::not_suppressed_types )
>>                 n$suppress_for=0secs;
>>         if ( n$note in Notice::alarmed_types )
>>                 add n$actions[ACTION_ALARM];
>>         if ( n$note in Notice::emailed_types )
>>                 add n$actions[ACTION_EMAIL];
>>
>>         if ( n$note in Notice::type_suppression_intervals )
>>                 n$suppress_for=Notice::type_suppression_intervals[n$note];
>>
>>         # Logging is a default action.  It can be removed in a later hook
>> if desired.
>>         add n$actions[ACTION_LOG];
>>         }
>>
>> As you can see, adding notice types to those tables just tweaks the
>> behavior of the default Notice::policy hook.  To do some of the things you
>> want to do, you just need a hook like
>>
>> hook Notice::policy(n: Notice::Info)
>> {
>>     if (n$note == Scan::Port_Scan && Site::is_local_addr(n$src))
>>         add n$actions[Notice::ACTION_EMAIL];
>> }
>>
>> If that would get repetitive, you can create your own table like
>>
>> const local_emailed_types: set[Notice::Type] = {} &redef;
>>
>> and have the policy be
>>
>> hook Notice::policy(n: Notice::Info)
>> {
>>     if (n$note in local_emailed_types && Site::is_local_addr(n$src))
>>         add n$actions[Notice::ACTION_EMAIL];
>> }
>>
>> --
>> - Justin Azoff
>>
>> > On Feb 14, 2016, at 6:14 AM, Tim Desrochers <tgdesrochers at gmail.com>
>> wrote:
>> >
>> > As with every infrastructure I am plagued with people scanning my
>> external edge.  I see little value in getting notices for scanning attempts
>> and password guessing attempts but I do see value in running monthly
>> reports and generating blocklists based on repeat offenders.
>> >
>> > Is there a way to tell the notice framework to only create alarms
>> (emails) if it sees scans of any kind (address, port, password guessing,
>> etc) if they are from the IP's in my $HOME_NET defined in network.cfg?
>> >
>> > Justification, If I
>> >
>> > redef Notice::ignored_types += {
>> >   SSH::Password_Guessing,
>> >   Scan::Address_Scan,
>> >   Scan::Port_Scan,
>> >   HTTP::SQL_Injection_Attacker,
>> >   ShellShock::Scanner,
>> >   ScanUDP::Address_Scan,
>> >   ScanUDP::Port_Scan,
>> > };
>> >
>> > Then I get no logging of the events anywhere.  Therefore I can't run
>> reports of offenders and build active blocklists or other intel gathering
>> activities.
>> >
>> > If I:
>> >
>> > # Set rule to only email specific notice types:
>> > redef Notice::emailed_types += {
>> >   Weird::Activity,
>> >   Signatures::Sensitive_Signature,
>> >   Signatures::Multiple_Signatures,
>> >   Signatures::Multiple_Sig_Responders,
>> >   Signatures::Count_Signature,
>> >   Intel::Notice,
>> >   TeamCymruMalwareHashRegistry::Match,
>> >   Traceroute::Detected,
>> >   FTP::Bruteforcing,
>> >   FTP::Site_Exec_Success,
>> >   HTTP::SQL_Injection_Victim,
>> >   SMTP::Blocklist_Error_Message,
>> >   SMTP::Blocklist_Blocked_Host,
>> >   SMTP::Suspicious_Origination,
>> >   SSH::Login_By_Password_Guesser,
>> >   SSH::Interesting_Hostname_Login,
>> > };
>> >
>> > Then I get flooded with email from any of the guessing activity (Side
>> note: I find that the above logic doesn't restrict email notices to just
>> those listed in the defined email types above.  I still get plenty of
>> notices about events not listed in the list above).  If the redef
>> Notice::emailed_types worked it would be a start but I'd still like to get
>> emails about IP addresses in my internal net getting scanned by other IP's
>> in my internal net, that definitely an indicator of unwanted behavior.
>> >
>> > Any assistance would be greatly appreciated.  Just trying to tune
>> things to a manageable level.
>> >
>> > Thanks
>> > Tim
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160318/f34baf18/attachment-0001.html

More information about the Bro mailing list