[Bro] bro intel notice log
Alex Kefallonitis
al.kefallonitis at gmail.com
Tue Mar 28 00:24:53 PDT 2017
I want bro to send email notification on all notices...but i can't get
intel to notice log i can't figure out what i am doing wrong
2017-03-27 22:27 GMT+03:00 Alex Kefallonitis <al.kefallonitis at gmail.com>:
> Critical stack module is up and running and generates intel logs. I want
> bro to send email when an indicator is seen . Although i receive mail from
> bro for notices and i added do_notice.bro to local.bro i never seen a
> notice intel email or log. Any advice?
>
> I also try adding these to local.bro
>
> redef Notice::emailed_types += {
> Intel::Notice,
> Intel::DOMAIN,
> TeamCymruMalwareHashRegistry::Match,
> Software::Vulnerable_Version,
> Traceroute::Detected,
> Scan::Address_Scan,
> Scan::Port_Scan,
> Conn::Content_Gap,
> DNS::External_Name,
> FTP::Bruteforcing,
> FTP::Site_Exec_Success,
> HTTP::SQL_Injection_Attacker,
> HTTP::SQL_Injection_Victim,
> SMTP::Blocklist_Error_Message,
> SMTP::Blocklist_Blocked_Host,
> SMTP::Suspicious_Origination,
> SSH::Password_Guessing,
> SSH::Login_By_Password_Guesser,
> SSH::Watched_Country_Login,
> SSH::Interesting_Hostname_Login,
> SSL::Certificate_Expired,
> SSL::Certificate_Expires_Soon,
> SSL::Certificate_Not_Valid_Yet,
> Heartbleed::SSL_Heartbeat_Attack,
> Heartbleed::SSL_Heartbeat_Attack_Success,
> Heartbleed::SSL_Heartbeat_Odd_Length,
> Heartbleed::SSL_Heartbeat_Many_Requests,
> };
>
> hook Notice::policy(n: Notice::Info)
> {
> add n$actions[Notice::ACTION_EMAIL];
> }
>
>
> but nothing changed
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170328/daa2b4fb/attachment.html
More information about the Bro
mailing list