[Bro] SSH brute-force email notice
James Lay
jlay at slave-tothe-box.net
Tue Feb 28 07:08:27 PST 2017
On 2017-02-28 07:48, Loris Leiva wrote:
> Hello,
>
> First of all, I am really grateful for Bro and its easy scripting. I
> have been using Bro in the context of my master thesis and had lots of
> fun using it.
>
> I am contacting you today as I have encountered a problem that none of
> my google researching skills could solve. Let me try and describe it
> clearly.
>
> WHAT I AM TRYING TO ACHEIVE:
> I am using the pcap file available at
> https://www.bro.org/static/traces/ssh.pcap [1] to simulate a
> SSH::Password_Guessing notice using the command `broctl process`. My
> goal is simply to make Bro send me an email when such a notice is
> raised.
>
> WHAT IS GOING WRONG:
> Even though the notice is raised, I do not receive any emails.
>
> HYPOTHESIS TO ELIMINATE:
> - First of all, my broctl.cfg file is configured correctly and, if I
> raise a random notice in the `bro_init()` event, I successfully
> receive the email.
> - I am also sure that the notice is being raise properly as a
> `notice.log` file gets generated with the relevant notice containing
> the `Notice::ACTION_EMAIL` action. I even hard-coded a print inside
> the module that raise the notice to make sure that this part of the
> code was run.
>
> WHAT I HAVE TRIED:
> - redefining Notice::emailed_types
> - redefining Notice::alarmed_types
> - adding a Notice::policy hook containing `add
> n$actions[Notice::ACTION_EMAIL];`
>
> I hope that my problem description helps. I am really struggling to
> understand this behaviour and cannot find similar problems online.
>
> Please do not hesitate to contact me should you need additional
> information.
>
> Thank you in advance for your support,
>
> Best regards,
> Loris
>
> Links:
> ------
> [1] https://www.bro.org/static/traces/ssh.pcap
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
There is sample code here:
https://www.bro.org/sphinx/scripting/index.html#raising-notices
But, I myself would love to see a full example...it's one of the things
that often confuses me about bro; most of the time there's snippets of
code in the documentation, but I struggle to find a full on
setup...maybe I'm missing something. If someone can post something step
by step and what to add where I'll add it to my brofaq here:
https://github.com/DigiAngel/brofaq
James
More information about the Bro
mailing list