[Bro] Changing notice log entry actions from Action::Log to Action::Email
Espresso Beanies
espressobeanies at gmail.com
Tue Apr 25 13:45:33 PDT 2017
Hi,
In searching previous Bro posts, I'm still not able to understand how to
get Bro to email certain notice types as opposed to just creating log
entries.
My local.bro file contains the following:
redef Notice::emailed_types += {
> TeamCymruMalwareHashRegistry::Match,
> Intel::Notice,
> Intel::DOMAIN,
> Intel::CERT_HASH,
> Intel::FILE_HASH,
> };
> redef Notice::type_suppression_intervals += {
> [TeamCymruMalwareHashRegistry::Match] = 1hr,
> [Intel::Notice] = 1hr,
> [Intel::DOMAIN] = 1hr,
> [Intel::CERT_HASH] = 1hr,
> [Intel::FILE_HASH] = 1hr,
> };
Based on this, I'm assuming I would be receiving a summary of all the
defined Notice::emailed_types every hour by email. Instead, I'm only
receiving Connection Summaries, [Bro] Crash reports, and
PacketFilter::Dropped_Packets.
If I open my notice.log I see the following:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2017-04-25-16-00-22
#fields ts uid id.orig_h id.orig_p id.resp_h
id.resp_p fuid file_mime_type file_desc proto note msg
sub src
dst p n peer_descr actions suppress_for dropped
remote_location.country_code remote_location.region
remote_location.city remote_locat
ion.latitude remote_location.longitude
#types time string addr port addr port string string
string enum enum string string addr addr port count
string set[enum]
interval bool string string string double double
1493150418.640398 - - - - - - -
- - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be
guessing SSH pass
words (seen in 41 connections). Sampled servers: XXX.XXX.XXX.XXX,
XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX - -
- worker-2-9 Notice::ACTION_LOG 3600.000000 F
- - - - -
1493150706.509497 - - - - - - -
- - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be
guessing SSH passw
ords (seen in 34 connections). Sampled servers: XXX.XXX.XXX.XXX,
XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX
XXX.XXX.XXX.XXX - -
- worker-2-3 Notice::ACTION_LOG 3600.000000 F
- - - - -
1493150707.543255 - - - - - - -
- - HTTP::SQL_Injection_Attacker An SQL injection
attacker was discover
ed! - XXX.XXX.XXX.XXX - - - worker-1-11
Notice::ACTION_LOG 3600.000000 F - - - -
-
1493151025.415982 - - - - - - -
- - CaptureLoss::Too_Much_Loss The capture loss script
detected an es
timated loss rate above 24.664% - - - - -
worker-2-6 Notice::ACTION_LOG 3600.000000 F - -
- -
-
1493151925.408827 - - - - - - -
- - CaptureLoss::Too_Much_Loss The capture loss script
detected an es
timated loss rate above 35.923% - - - - -
worker-2-5 Notice::ACTION_LOG 3600.000000 F - -
- -
For these entries, where or what file do I change specific Notice::Types
from Notice::ACTION_LOG to Notice::ACTION_EMAIL?
Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170425/28c701c8/attachment.html
More information about the Bro
mailing list