Hello All :
Thanks for the clearing questions in the last email. I need some more
clarifications about email alert generations using bro. I thank you for
your time and help.
I am writing this email in the order alert generation need to be
configured on bro (I think).
1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file. Right now I am adding all my sensitive_URI's and ftp hot
files into the corresponding policy files.
export {
const sensitive_URIs =
[ policy/http-request.bro; lines 9+ ]
export {
# Indexed by source & destination addresses and the id.
const skip_hot: set[addr, addr, string] &redef;
const hot_files =
[from policy/ftp.bro; lines 12+ ]
So, How do I redef these variables (which are 'export { const ' declared
in the policy files in my site/policy.bro file ?
2) In-order to send emails from bro I had to comment out the following
from notice.bro file :
# if ( ! mail_notification ) ----------------------- (2A)
# return;
# local action = notice_action_filters[n$note](n); --------- (2B)
# Choose destination address based on action type.
# local destination = (action == NOTICE_EMAIL) ?
# mail_dest : mail_page_dest;
local destination = mail_dest ;
2A) I think 'if (! mail_notification)' condition is not holding true at
all. I see the following definition
../policy/notice.bro:global mail_notification = reading_live_traffic()
&redef;
and
../policy/bro.bif.bro:global reading_live_traffic: function(): bool;
I don't see reading_live_traffic function defined anywhere? Do I need to
redef reading_live_traffic() function.
If yes, should it be in the site policy file ? Would its value affect
other policy files ? (its used in conn.bro, load-level.bro and
stats.bro)
2B) local action = notice_action_filters[n$note](n)
gives the following error in info.log file and bro stops :
1111094454.266502 /usr/local/bro/policy/notice.bro, line 193
(notice_action_filters[n$note]): run-time error, no such index
1111094454.266502 /usr/local/bro/policy/notice.bro, line 196 (action):
run-time error, value used but not set
Commenting the action variable makes email work fine but I am not sure
how other things would be affected due to this.
3) Finally declaring sensitive_URI's in (1) and commenting (2) I am
getting email notifications working on bro. As suggested
I am declaring, for example :
[$pred(n: notice_info) =
{
return n?$URL && n$URL == /^.*rootdown.pl.*$/ ;
},
$result = NOTICE_EMAIL,
$priority = 4],
in my site-policy file for getting email/page alert. If I understand it
correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ?
Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts :
/usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
(/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
boolean operands
which is, obviously, errornous right now.
4) I checked again and mail_notice.sh file comes as part of bro tarball
and is available in bro-09a8/scripts folder. However, after running make
install-brolite it does not get copied over to /usr/local/bro/scripts. I
thought should let you know this.
I appriciate all the help here.
Thanks a lot.
Aashish Sharma