bro email, cleartext passwords

Also, It would be nice if we can capture clear text ftp passwords.

You can get these using an "account_tried" event handler. See its invocation
in ftp.bro. (In fact, come to think of it passwords.bro should be written
in terms of account_tried.)

1) [ From policy/notice.bro ]
global notice_policy: set[notice_policy_item] = {
        [$pred(n: notice_info) = { return T; },
         $result = NOTICE_EMAIL,
         $priority = 0],
} &redef;

How do I set up various degree's of notifications. For some things I
would like to be paged, others an email and rest just logged.

$result seems to let me setup only one notice action option here.

The key about notice_policy is that it's a *set* of notice_policy_item's,
so you can specify a bunch of them. So for example, here's a subset of
the notice_policy modifications we use operationally at ICSI:

  redef notice_policy += {

    # Ignore sensitive URLs that are out of the FTP directory.
    # Note that some weird clients generate tons of global/'s
    # in their fetches, too.
    [$pred(n: notice_info) = {
      return n?$URL && n$URL == /^\/?ftp\/(global\/)*etc.*/; },
     $result = NOTICE_FILE,
     $priority = 1],

    # wyvern generates a lot of these as it tries to look up remote
    # hosts for processing mail.
    [$pred(n: notice_info) =
      { return n$note == DNS::DNS_PTR_Scan && n$src in; },
     $result = NOTICE_IGNORE,
     $priority = 1],

    # Connections to 2766/tcp ("Solaris listen service") appear to
    # always be actually due to P2P apps.
    [$pred(n: notice_info) =
      return n$note == SensitiveConnection &&
        n$msg == /Solaris listen service/;
     $result = NOTICE_FILE,
     $priority = 1],

I dont see in scripts folder so right now I am not very
sure how bro is going to handle sending email notification and what this
script is intending to do.

I double-checked and it's part of the distribution:


It is going to parse logs periodically and grep for NOTICE_EMAIL and
take action or has some other mechanism is intended ?

It's different. The NOTICE() function will invoke email_notice() for
NOTICE_EMAIL or NOTICE_PAGE, which in turn will execute the script.