[Bro] bro intel notice log
Alex Kefallonitis
al.kefallonitis at gmail.com
Mon Mar 27 12:27:27 PDT 2017
Critical stack module is up and running and generates intel logs. I want
bro to send email when an indicator is seen . Although i receive mail from
bro for notices and i added do_notice.bro to local.bro i never seen a
notice intel email or log. Any advice?
I also try adding these to local.bro
redef Notice::emailed_types += {
Intel::Notice,
Intel::DOMAIN,
TeamCymruMalwareHashRegistry::Match,
Software::Vulnerable_Version,
Traceroute::Detected,
Scan::Address_Scan,
Scan::Port_Scan,
Conn::Content_Gap,
DNS::External_Name,
FTP::Bruteforcing,
FTP::Site_Exec_Success,
HTTP::SQL_Injection_Attacker,
HTTP::SQL_Injection_Victim,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Password_Guessing,
SSH::Login_By_Password_Guesser,
SSH::Watched_Country_Login,
SSH::Interesting_Hostname_Login,
SSL::Certificate_Expired,
SSL::Certificate_Expires_Soon,
SSL::Certificate_Not_Valid_Yet,
Heartbleed::SSL_Heartbeat_Attack,
Heartbleed::SSL_Heartbeat_Attack_Success,
Heartbleed::SSL_Heartbeat_Odd_Length,
Heartbleed::SSL_Heartbeat_Many_Requests,
};
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
}
but nothing changed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170327/b9ab7ab4/attachment.html
More information about the Bro
mailing list