[Bro] Email Notice attempt #2
craig bowser
reswob10 at gmail.com
Thu Aug 10 19:34:21 PDT 2017
OK, I've been continuing to work at this and I found Scott Runnell's most
excellent blog posts and I've been following part #3.
http://ryesecurity.blogspot.com/2012/05/learning-bro-scripting-language.html
Now I know that bro has updated a lot since then, but I think I've got the
syntax right. However, while the code works and I get one notice in my
notice.log, I'm not getting an emailed alert.
What am I still missing?
Thanks.
-------------------------------------------
module HTTP;
export {
redef enum Notice::Type += {
## Generated if a site is detected using Basic Access Authentication
HTTP::Basic_Auth_Server
};
}
redef Notice::mail_dest = "reswob10 at gmail.com";
redef Notice::emailed_types += { HTTP::Basic_Auth_Server };
hook Notice::policy(n: Notice::Info)
{
if ( n$note == HTTP::Basic_Auth_Server )
add n$actions[Notice::ACTION_EMAIL];
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if (/AUTHORIZATION/ in name && /Basic/ in value)
{
NOTICE([$note=HTTP::Basic_Auth_Server,
$identifier=cat(c$id$resp_h, c$id$resp_p),
$suppress_for=1day,
$conn=c]);
}
}
Craig L Bowser
____________________________
This email is measured by size. Bits and bytes may have settled during
transport.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170810/4b741fa7/attachment.html
More information about the Bro
mailing list