[Bro] Changing notice log entry actions from Action::Log to Action::Email

Tue Apr 25 13:45:33 PDT 2017

Hi,

In searching previous Bro posts, I'm still not able to understand how to
get Bro to email certain notice types as opposed to just creating log
entries.

My local.bro file contains the following:

redef Notice::emailed_types += {
>   TeamCymruMalwareHashRegistry::Match,
>   Intel::Notice,
>   Intel::DOMAIN,
>   Intel::CERT_HASH,
>   Intel::FILE_HASH,
> };
> redef Notice::type_suppression_intervals += {
>         [TeamCymruMalwareHashRegistry::Match] = 1hr,
>         [Intel::Notice] = 1hr,
>         [Intel::DOMAIN] = 1hr,
>         [Intel::CERT_HASH] = 1hr,
>         [Intel::FILE_HASH] = 1hr,
> };

Based on this, I'm assuming I would be receiving a summary of all the
defined Notice::emailed_types every hour by email. Instead, I'm only
receiving Connection Summaries, [Bro] Crash reports, and
PacketFilter::Dropped_Packets.

If I open my notice.log I see the following:

#separator \x09
#set_separator  ,
#empty_field    (empty)
#unset_field    -
#path   notice
#open   2017-04-25-16-00-22
#fields ts      uid     id.orig_h       id.orig_p       id.resp_h
id.resp_p       fuid    file_mime_type  file_desc       proto   note    msg
    sub     src
  dst     p       n       peer_descr      actions suppress_for    dropped
remote_location.country_code    remote_location.region
 remote_location.city    remote_locat
ion.latitude        remote_location.longitude
#types  time    string  addr    port    addr    port    string  string
 string  enum    enum    string  string  addr    addr    port    count
string  set[enum]
  interval        bool    string  string  string  double  double
1493150418.640398       -       -       -       -       -       -       -
    -       -       SSH::Password_Guessing  XXX.XXX.XXX.XXX appears to be
guessing SSH pass
words (seen in 41 connections).   Sampled servers:  XXX.XXX.XXX.XXX,
XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX
 XXX.XXX.XXX.XXX  -       -
    -       worker-2-9     Notice::ACTION_LOG      3600.000000     F
-       -       -       -       -
1493150706.509497       -       -       -       -       -       -       -
    -       -       SSH::Password_Guessing  XXX.XXX.XXX.XXX appears to be
guessing SSH passw
ords (seen in 34 connections).    Sampled servers:  XXX.XXX.XXX.XXX,
XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX
 XXX.XXX.XXX.XXX   -       -
    -       worker-2-3      Notice::ACTION_LOG      3600.000000     F
-       -       -       -       -
1493150707.543255       -       -       -       -       -       -       -
    -       -       HTTP::SQL_Injection_Attacker    An SQL injection
attacker was discover
ed!       -       XXX.XXX.XXX.XXX  -       -       -       worker-1-11
Notice::ACTION_LOG      3600.000000     F       -       -       -       -
    -
1493151025.415982       -       -       -       -       -       -       -
    -       -       CaptureLoss::Too_Much_Loss      The capture loss script
detected an es
timated loss rate above 24.664%   -       -       -       -       -
worker-2-6      Notice::ACTION_LOG      3600.000000     F       -       -
    -       -
    -
1493151925.408827       -       -       -       -       -       -       -
    -       -       CaptureLoss::Too_Much_Loss      The capture loss script
detected an es
timated loss rate above 35.923%   -       -       -       -       -
worker-2-5      Notice::ACTION_LOG      3600.000000     F       -       -
    -       -

For these entries, where or what file do I change specific Notice::Types
from Notice::ACTION_LOG to Notice::ACTION_EMAIL?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170425/28c701c8/attachment.html 