bro email, cleartext passwords and snort signature

Hello All :

We have have upgraded to the latest current release of bro lately from
version 7 (0.7a90). While running newer version we are having some
problems.
[ Not sure if I should have put all questions in one email itself.
please excuse me for inconvenience ]

I have some quick operational questions about bro :

1) We used to run wots/swatch on bro logs periodically which checks for
alert patterns and send an us an email for that particular bro alert
with content being the alert line from bro logs.

Is there a better way to do this with bro ?

[ I do see policy/notice.bro has some email parameters settings but does
not seems to be working ]

2) Our site has no cleartext password policy. I do not see passwords.bro
policy [ as suggested by the documentation ] with the default
installation policy files. It there such a policy available ?

3) The latest version seems to be failing when I am putting snort
signatures on machine.site.bro in site/ folder.

I have to comment off the following lines in site/site.site-name.bro
file in order to get bro running.

# Load Bro rules
redef signature_files += "s2b-addendum-sigs";
redef signature_files += "s2b";
redef signature_files += "snort.sig";

# ./bro.rc start | more
bro.rc: Starting ...........bro.rc: Failed to start Bro
Error in signature (s2b-addendum-sigs:17): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:24): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:31): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:53): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:62): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:71): unknown script-level
identifier (http_ports)
Error in signature (s2b-addendum-sigs:80): unknown script-level
identifier (http_ports)

Not sure what's going wrong here. Any hints ?
Thanks a lot.

Aashish Sharma

You need to load snort.bro to use the Snort signature set.

Robin

Yep works. I had to define (uncomment actually )

const use_signatures = T;

in brolite.bro.

Thanks a bunch, Robin.
Aashish