[Bro] [bro] Scanning IP's
Tim Desrochers
tgdesrochers at gmail.com
Fri Mar 18 03:25:23 PDT 2016
Sorry to beat a dead horse here but I am having a few issues with setting
the alert_email_types.
I set the following in my local.bro:
redef Notice::emailed_types += {
Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};
Now here I would expect to only get emails from the notice framework for
the defined types. But in actuality I get email from other things as well
such as SQL_Injection, Weird_Activity, etc. I want the notice framework to
log all these action but I don't want emails sent to me for them.
I am using the emailed types to send emails to a alert dashboard for
analysts to looka t. I only want things to go there that require immediate
action by the analyst, all other notices I want logged and they can view
them when they do their hourly checks of the net.
Did I configure the email_types incorrectly. The end of my local.bro files
contains the following email types modifications I have made:
redef Notice::emailed_types += {
Weird::Activity,
Signatures::Sensitive_Signature,
Signatures::Multiple_Signatures,
Signatures::Multiple_Sig_Responders,
Signatures::Count_Signature,
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
Traceroute::Detected,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Login_By_Password_Guesser,
SSH::Interesting_Hostname_Login,
};
# Only receive Scan Notices if they are from local network.
const local_emailed_types: set[Notice::Type] = {
SSH::Password_Guessing,
} &redef;
hook Notice::policy(n: Notice::Info)
{
if (n$note in local_emailed_types && Site::is_local_addr(n$src))
add n$actions[Notice::ACTION_EMAIL];
}
Any help would be appreciated.
Thanks
On Sun, Feb 14, 2016 at 8:42 AM, Tim Desrochers <tgdesrochers at gmail.com>
wrote:
> Followup question:
>
> If I set this will I still get the other notices emailed to me such as
> items from the intel framework that I have set meta.do_notice and
> meta.if_in. Or will I have to make another notice hook to still allow for
> those to send emails when observed.
>
> Obviously I have some bro scripting classes to attend, but in the
> meanwhile I am just trying to hack this together.
>
> Tim
>
> On Sun, Feb 14, 2016 at 7:35 AM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>> The thing to understand is that the ignored_types and emailed_types are
>> just tables defined to make tweaking the base notice policy easier.
>>
>> That default notice policy is:
>>
>> hook Notice::policy(n: Notice::Info) &priority=10
>> {
>> if ( n$note in Notice::ignored_types )
>> break;
>>
>> if ( n$note in Notice::not_suppressed_types )
>> n$suppress_for=0secs;
>> if ( n$note in Notice::alarmed_types )
>> add n$actions[ACTION_ALARM];
>> if ( n$note in Notice::emailed_types )
>> add n$actions[ACTION_EMAIL];
>>
>> if ( n$note in Notice::type_suppression_intervals )
>> n$suppress_for=Notice::type_suppression_intervals[n$note];
>>
>> # Logging is a default action. It can be removed in a later hook
>> if desired.
>> add n$actions[ACTION_LOG];
>> }
>>
>> As you can see, adding notice types to those tables just tweaks the
>> behavior of the default Notice::policy hook. To do some of the things you
>> want to do, you just need a hook like
>>
>> hook Notice::policy(n: Notice::Info)
>> {
>> if (n$note == Scan::Port_Scan && Site::is_local_addr(n$src))
>> add n$actions[Notice::ACTION_EMAIL];
>> }
>>
>> If that would get repetitive, you can create your own table like
>>
>> const local_emailed_types: set[Notice::Type] = {} &redef;
>>
>> and have the policy be
>>
>> hook Notice::policy(n: Notice::Info)
>> {
>> if (n$note in local_emailed_types && Site::is_local_addr(n$src))
>> add n$actions[Notice::ACTION_EMAIL];
>> }
>>
>> --
>> - Justin Azoff
>>
>> > On Feb 14, 2016, at 6:14 AM, Tim Desrochers <tgdesrochers at gmail.com>
>> wrote:
>> >
>> > As with every infrastructure I am plagued with people scanning my
>> external edge. I see little value in getting notices for scanning attempts
>> and password guessing attempts but I do see value in running monthly
>> reports and generating blocklists based on repeat offenders.
>> >
>> > Is there a way to tell the notice framework to only create alarms
>> (emails) if it sees scans of any kind (address, port, password guessing,
>> etc) if they are from the IP's in my $HOME_NET defined in network.cfg?
>> >
>> > Justification, If I
>> >
>> > redef Notice::ignored_types += {
>> > SSH::Password_Guessing,
>> > Scan::Address_Scan,
>> > Scan::Port_Scan,
>> > HTTP::SQL_Injection_Attacker,
>> > ShellShock::Scanner,
>> > ScanUDP::Address_Scan,
>> > ScanUDP::Port_Scan,
>> > };
>> >
>> > Then I get no logging of the events anywhere. Therefore I can't run
>> reports of offenders and build active blocklists or other intel gathering
>> activities.
>> >
>> > If I:
>> >
>> > # Set rule to only email specific notice types:
>> > redef Notice::emailed_types += {
>> > Weird::Activity,
>> > Signatures::Sensitive_Signature,
>> > Signatures::Multiple_Signatures,
>> > Signatures::Multiple_Sig_Responders,
>> > Signatures::Count_Signature,
>> > Intel::Notice,
>> > TeamCymruMalwareHashRegistry::Match,
>> > Traceroute::Detected,
>> > FTP::Bruteforcing,
>> > FTP::Site_Exec_Success,
>> > HTTP::SQL_Injection_Victim,
>> > SMTP::Blocklist_Error_Message,
>> > SMTP::Blocklist_Blocked_Host,
>> > SMTP::Suspicious_Origination,
>> > SSH::Login_By_Password_Guesser,
>> > SSH::Interesting_Hostname_Login,
>> > };
>> >
>> > Then I get flooded with email from any of the guessing activity (Side
>> note: I find that the above logic doesn't restrict email notices to just
>> those listed in the defined email types above. I still get plenty of
>> notices about events not listed in the list above). If the redef
>> Notice::emailed_types worked it would be a start but I'd still like to get
>> emails about IP addresses in my internal net getting scanned by other IP's
>> in my internal net, that definitely an indicator of unwanted behavior.
>> >
>> > Any assistance would be greatly appreciated. Just trying to tune
>> things to a manageable level.
>> >
>> > Thanks
>> > Tim
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160318/f34baf18/attachment-0001.html
More information about the Bro
mailing list