bro email, cleartext passwords and snort signature

Zeek
1

1) We used to run wots/swatch on bro logs periodically which checks for
alert patterns and send an us an email for that particular bro alert
with content being the alert line from bro logs.

Is there a better way to do this with bro ?

With the latest release there are two new notice actions, NOTICE_EMAIL and
NOTICE_PAGE, which you can use for this.

[ I do see policy/notice.bro has some email parameters settings but does
not seems to be working ]

Can you provide an example that demonstrates it's not working?

2) Our site has no cleartext password policy. I do not see passwords.bro
policy [ as suggested by the documentation ] with the default
installation policy files. It there such a policy available ?

Oops, it got left out inadvertently, as did rsh.bro. I'll send them
along in the next two messages so folks can play with them prior to
the next release.

3) The latest version seems to be failing when I am putting snort
signatures on machine.site.bro in site/ folder.

I see that you've since figured this out. A significant change with
the 0.9a8 release was that signatures are now turned off by default.

    Vern

2

Thanks a lot Vern. Getting passwords.bro and rsh.bro is very helpful. I
have activated them to enforce our site policy.

Also, It would be nice if we can capture clear text ftp passwords.
Recently we have seen thats' how most of warez upload/download is done.
In some of the root exploit attempts in recent past miscreants had their
own ftp server with stockpile of exploits from where they ftp'ed
selected ones to our machine using their login/passwd.

With the latest release there are two new notice actions, NOTICE_EMAIL and
NOTICE_PAGE, which you can use for this.

1) [ From policy/notice.bro ]
global notice_policy: set[notice_policy_item] = {
        [$pred(n: notice_info) = { return T; },
# $result = NOTICE_ALARM_ALWAYS,
         $result = NOTICE_EMAIL,
         $priority = 0],
} &redef;

How do I set up various degree's of notifications. For some things I
would like to be paged, others an email and rest just logged.

$result seems to let me setup only one notice action option here.

[ I do see policy/notice.bro has some email parameters settings but

does

> not seems to be working ]

Can you provide an example that demonstrates it's not working?

However If I understand it correctly, email sending mechanism is defined
here in notice.bro :

# Variables the control email notification.
global mail_notification = reading_live_traffic() &redef;
global mail_script = "mail_notice.sh" &redef;
global mail_dest = "bro" &redef;
global mail_page_dest = "bro-page" &redef;

I dont see mail_notice.sh in scripts folder so right now I am not very
sure how bro is going to handle sending email notification and what this
script is intending to do.

It is going to parse logs periodically and grep for NOTICE_EMAIL and
take action or has some other mechanism is intended ?

Thanks,
Aashish

3

Hello All,

Any thoughts about this :
    

> With the latest release there are two new notice actions, NOTICE_EMAIL and
> NOTICE_PAGE, which you can use for this.
>

1) [ From policy/notice.bro ]
global notice_policy: set[notice_policy_item] = {
        [$pred(n: notice_info) = { return T; },
# $result = NOTICE_ALARM_ALWAYS,
         $result = NOTICE_EMAIL,
         $priority = 0],
} &redef;

How do I set up various degree's of notifications. For some things I
would like to be paged, others an email and rest just logged.

$result seems to let me setup only one notice action option here.

> [ I do see policy/notice.bro has some email parameters settings but
does
> > not seems to be working ]
>

2)