Bro 2.5/2.6 on FIPS-enabled Host

Stephen_Neyens · February 5, 2019, 2:03am

I have tried my Google-fu far and wide, but I have not found a
solution yet to operate Bro on a FIPS-enabled host. When FIPS is
enabled via the kernel, Bro refuses to start because of its use of
MD5. Any assistance in the matter would be appreciated.

- Stephen

johanna · February 5, 2019, 10:01am

Hi Stephen,

a pull request about this was actually just merged; see https://github.com/zeek/zeek/pull/232 and https://github.com/zeek/zeek/pull/255.

This will be in the 2.7 version once it is released. For 2.6 and earlier, the easiest is probably to set the magic “MD5 is allowed” environment variable that most distributions that I know offer and to note in your security policy that this is ok because Zeek does not use MD5 for security, only to output hash information.

Johanna

Stephen_Neyens · February 5, 2019, 12:46pm

Johanna,

Thank you. This has put me in the right direction.

- Stephen

Nicolas_KRASINSKI · February 5, 2019, 2:34pm

Hello,

Is there a way ton have multiple recipient of the Bro alerts ?
I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients...
Could define this directly in my script or in brotctl.cfg or others ?

Thanks in advance for your help

Nicolas

Nicolas_KRASINSKI · February 7, 2019, 4:08pm

Hello,

I found “Notice::mail_dest”,
So I define this in my script :

redef Notice::mail_dest = “user@domain.com”;
redef Notice::emailed_types += { SSH::Password_Guessing, };
hook Notice::policy(n: Notice::Info) {
if ( n$note == SSH::Password_Guessing )
add n$actions[Notice::ACTION_EMAIL]; }

It doesn’t work… the alert is always sent to the default email in broctl.cfg.
I see in documentation : “Note this is overridden by the BroControl MailTo option.”

Do you how I can use ‘mail_dest’ option correctly ?

Thanks

Nicolas.

Nicolas_KRASINSKI · February 14, 2019, 2:18pm

Can somebody help me ?

I tried to put

const mail_dest = “user@domain.com” &redef;
in /framework/notice/main.bro

or my local.bro
but nothing work,

I tried also to put in my script
redef Notice::mail_dest = “user@domain.com”;
but nothing work,

How can I send ACTION_ALARM to the email of “mail_dest” ?

I’m realy lost…

Thanks in advance,

Nicolas.

Jon_Siwek · February 14, 2019, 10:40pm

If you are using BroControl, have you tried setting the MailTo option
and/or MailAlarmsTo option in broctl.cfg ? As you saw from the
documentation, those take precedence over values defined in scripts.

- Jon

Nicolas_KRASINSKI · February 18, 2019, 9:54am

Thanks, It works fine with MailAlarmsTo in broctl.cfg.
But MailAlarmsTo works with ACTION_ALARM and send only alarm summary mails, not directly the alarm...

Thank you,

Nicolas.

Topic		Replies	Views
Getting Started w/Bro Zeek	1	85	May 6, 2022
Bro 2.5 and FIPS Zeek	5	126	May 6, 2022
question about send_email_notice Zeek	2	103	May 6, 2022
bro email, cleartext passwords and snort signature Zeek	3	113	May 6, 2022
Send email on any SSH attempt Zeek	3	188	May 6, 2022

Bro 2.5/2.6 on FIPS-enabled Host

Related topics