[Bro] Email Notice attempt #2
craig bowser
reswob10 at gmail.com
Sat Aug 12 10:11:46 PDT 2017
OK, further refinement:
I've been going over the documentation for notices and raising alerts and
googling and I think I've got the right code syntax, but I still am not
getting emailed alerts.
I configured the following line in /usr/local/bro/share/bro/
base/frameworks/notice/main.bro
const mail_dest = "reswob10 at gmail.com" &redef;
And here is my script:
module HTTP;
export {
redef enum Notice::Type += {
## Generated if a site is detected using Basic Access Authentication
HTTP::Basic_Auth_Server
};
}
redef Notice::mail_dest = "reswob10 at gmail.com";
hook Notice::policy(n: Notice::Info) {
if (n$note == HTTP::Basic_Auth_Server)
print n$note;
add n$actions[Notice::ACTION_EMAIL];
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if (/AUTHORIZATION/ in name && /Basic/ in value)
{
# local parts: string_array;
# parts = split1(decode_base64(sub_bytes(value, 7, |value|)), /:/);
# if (|parts| == 2)
NOTICE([$note=HTTP::Basic_Auth_Server,
$identifier=cat(c$id$resp_h, c$id$resp_p),
$suppress_for=1day,
$conn=c
]);
}
}
When I run the script against a local pcap with HTTP basic auth traffic, I
get the printed line:
root at raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro
HTTP::Basic_Auth_Server
But I never get the emailed alert.
I AM getting hourly Connection Summary emails so I know bro can send email
to my gmail address. Would the alerts be included inside those emails?
Could you please provide any tips/suggestions/corrections/rebukes for what
I'm doing? Are there other configurations I missed? Is there a general
log for bro that can show an error if it's trying to send email but it
can't?
Thanks.
Craig L Bowser
____________________________
This email is measured by size. Bits and bytes may have settled during
transport.
On Thu, Aug 10, 2017 at 10:34 PM, craig bowser <reswob10 at gmail.com> wrote:
>
> OK, I've been continuing to work at this and I found Scott Runnell's most
> excellent blog posts and I've been following part #3.
>
> http://ryesecurity.blogspot.com/2012/05/learning-bro-
> scripting-language.html
>
> Now I know that bro has updated a lot since then, but I think I've got the
> syntax right. However, while the code works and I get one notice in my
> notice.log, I'm not getting an emailed alert.
>
> What am I still missing?
>
> Thanks.
>
> -------------------------------------------
>
>
>
> module HTTP;
>
> export {
> redef enum Notice::Type += {
> ## Generated if a site is detected using Basic Access Authentication
> HTTP::Basic_Auth_Server
> };
> }
>
> redef Notice::mail_dest = "reswob10 at gmail.com";
> redef Notice::emailed_types += { HTTP::Basic_Auth_Server };
>
>
> hook Notice::policy(n: Notice::Info)
> {
> if ( n$note == HTTP::Basic_Auth_Server )
> add n$actions[Notice::ACTION_EMAIL];
> }
>
> event http_header(c: connection, is_orig: bool, name: string, value:
> string)
> {
> if (/AUTHORIZATION/ in name && /Basic/ in value)
> {
> NOTICE([$note=HTTP::Basic_Auth_Server,
> $identifier=cat(c$id$resp_h, c$id$resp_p),
> $suppress_for=1day,
> $conn=c]);
> }
> }
>
>
>
> Craig L Bowser
> ____________________________
>
> This email is measured by size. Bits and bytes may have settled during
> transport.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170812/6fdc5188/attachment.html
More information about the Bro
mailing list