[Bro] Help with bro scripting exercise question

Wed Aug 2 19:54:24 PDT 2017

I'm trying to do several things. My main goal is to learn how to script so
I can build notices and alerts based on threats specific to my environment.

Right now, I'm trying to figure out how to get bro to send an email when it
generates a notice.

I've been looking at this page:

https://www.bro.org/sphinx-git/frameworks/notice.html

and this page:

https://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.bro.html

and this email from the archive:

http://mailman.icsi.berkeley.edu/pipermail/bro/2014-October/007621.html

and this reference from a google search:

https://books.google.com/books?id=TTIDAQAAQBAJ&pg=PA283&lpg=PA283&dq=Notice::mail_dest&source=bl&ots=Uw_GRZCI2Q&sig=lzDZWVnDNdfIuFaRP16OWgXvk-4&hl=en&sa=X&ved=0ahUKEwinzbCT97nVAhUC7IMKHaBzDjkQ6AEIPTAE

But my attempt at putting all of that together using the example script
from the aforementioned 2011 exercise isn't working...

#redef Notice::alarmed_types += {
#SSH::Password_Guessing
#};
redef Notice::ignored_types += {
};

redef Notice::mail_dest = "reswob10 at gmail.com";

hook Notice::policy(n: Notice::Info)
        {
        if ( n$note == SSH::Password_Guessing )
                add n$actions[Notice::ACTION_EMAIL];
        }

Any direction you can provide would be helpful.

And yes, I've gone through most of those exercises at try.bro.org, but they
don't cover how to send notices via email.

Thanks.

Craig

On 2 Aug 2017 9:55 pm, "Seth Hall" <seth at corelight.com> wrote:

> Sorry that code is out of date!  Quite a few years have passed since
> that workshop.  Are you just trying to go through the workshop code or
> are you actually trying to achieve a particular behavior?  If you're
> trying to achieve a behavior, I can help you out with the more modern
> way to do that if you'd like.  If you are just trying to go through
> the workshop code then I'd say to just skip that one. :)
>
> Have you look at the exercises on http://try.bro.org/?
>
>   .Seth
>
> On Wed, Aug 2, 2017 at 9:19 PM, craig bowser <reswob10 at gmail.com> wrote:
> >
> > Hello all, trying to learn bro scripting.  I am working through the
> > exercises from the 2011 workshop and I'm getting an error.
> >
> > I'm on this page:
> > https://www.bro.org/bro-workshop-2011/exercises/notices/index.html
> >
> > I'm on Pt3 More Advanced Policy Notice running this script:
> >
> > const watched_servers: set[addr] = {
> > 172.16.238.136,
> > 172.16.238.168,
> > } &redef;
> >
> > redef Notice::policy += {
> >       [$action = Notice::ACTION_ALARM,
> >        $pred(n: Notice::Info) =
> >               {
> >               return n$note == SSH::Login && n$id$resp_h in
> watched_servers;
> >               }
> >       ]
> > };
> >
> >
> > And I'm getting an error that says
> >
> > #bro -r ssh.pcap local advancebro.bro
> > error in ./advancebro.bro, line 10: unknown identifier SSH::Login, at or
> > near "SSH::Login"
> >
> >
> > Is the SSH::Login no longer a valid function?
> >
> > Thanks.
> >
> >
> > Craig L Bowser
> > ____________________________
> >
> > This email is measured by size.  Bits and bytes may have settled during
> > transport.
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> --
> Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170802/7e3a269f/attachment.html 