I have my sensor set up to email me notices with:
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
}
If I understand correct this will email me upon any entry in the notice.log. Is there a way to:
- only get specific items emailed upon entry
- get the rest of notice.log entries emailed with ACTON_ALARM in the alarm-mail.txt and have that ignore anything that was previously emailed.
- Only get one notice email per alert?
What I am doing is in the /opt/bro/share/bro/intel folder creating different folders with IOS’s I want the intel framework to look over and I am using meta.do_notice to send the items of importance to the notice log.
Excuse my ignorance with this subject I am just now trying to get things emailed out efficiently to reduce some noise and redundancy my analysts are seeing.
I'm not sure about #2, but for 1 and 3 there is an easy way to do this with the default configuration. The notice framework has this as the notice policy:
hook Notice::policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::ignored_types )
break;
if ( n$note in Notice::not_suppressed_types )
n$suppress_for=0secs;
if ( n$note in Notice::alarmed_types )
add n$actions[ACTION_ALARM];
if ( n$note in Notice::emailed_types )
add n$actions[ACTION_EMAIL];
if ( n$note in Notice::type_suppression_intervals )
n$suppress_for=Notice::type_suppression_intervals[n$note];
# Logging is a default action. It can be removed in a later hook if desired.
add n$actions[ACTION_LOG];
}
Those tables are all setup to make it easy to toggle actions:
## Ignored notice types.
const ignored_types: set[Notice::Type] = {} &redef;
## Emailed notice types.
const emailed_types: set[Notice::Type] = {} &redef;
## Alarmed notice types.
const alarmed_types: set[Notice::Type] = {} &redef;
## Types that should be suppressed for the default suppression interval.
const not_suppressed_types: set[Notice::Type] = {} &redef;
So you simply need something like this in your local.bro:
redef Notice::emailed_types += {
HTTP::SQL_Injection_Attacker,
HTTP::SQL_Injection_Victim,
}
If you do need to do anything more complicated, you can use your own Notice::policy and add whatever logic you want.
To not get multiple emails for the same notice you need to ensure that the notice has the $identifier set that uniquely identifies the notice. This is minimally something like cat(id$orig_h). If you look at any of the scripts in policy/ you can see how they do this.
Thanks I’ll give it a shot
When trying what you suggested I get the following output from broctl check:
error in /opt/bro/share/bro/policy/frameworks/control/controllee.bro, line 15: syntax error, at or near “module”
At the bottom of my local.bro I added:
redef Notice::emailed_types += {
FTP::Bruteforcing,
FTP::Site_Exec_Success,
HTTP::SQL_Injection_Attacker,
HTTP::SQL_Injection_Victim,
SMTP::Blocklist_Error_Message,
SMTP::Blocklist_Blocked_Host,
SMTP::Suspicious_Origination,
SSH::Password_Guessing,
SSH::Login_By_Password_Guesser,
}
Any reason why broctl is finding an error in the controllee.bro script.
Ah, I made a common error. The redef line is a regular statement(compared to something like an 'if' or 'export' block) and it needs a ; at the end. The final line needs to be
};
Bro complains about controllee.bro because it is still expecting a ; and it is the next file that is parsed.