bro email, cleartext passwords

Vern · March 6, 2005, 8:53am

Also, It would be nice if we can capture clear text ftp passwords.

You can get these using an "account_tried" event handler. See its invocation
in ftp.bro. (In fact, come to think of it passwords.bro should be written
in terms of account_tried.)

1) [ From policy/notice.bro ]
global notice_policy: set[notice_policy_item] = {
        [$pred(n: notice_info) = { return T; },
# $result = NOTICE_ALARM_ALWAYS,
         $result = NOTICE_EMAIL,
         $priority = 0],
} &redef;

How do I set up various degree's of notifications. For some things I
would like to be paged, others an email and rest just logged.

$result seems to let me setup only one notice action option here.

The key about notice_policy is that it's a *set* of notice_policy_item's,
so you can specify a bunch of them. So for example, here's a subset of
the notice_policy modifications we use operationally at ICSI:

redef notice_policy += {

    # Ignore sensitive URLs that are out of the FTP directory.
    # Note that some weird clients generate tons of global/'s
    # in their fetches, too.
    [$pred(n: notice_info) = {
      return n?$URL && n$URL == /^\/?ftp\/(global\/)*etc.*/; },
     $result = NOTICE_FILE,
     $priority = 1],

    # wyvern generates a lot of these as it tries to look up remote
    # hosts for processing mail.
    [$pred(n: notice_info) =
      { return n$note == DNS::DNS_PTR_Scan && n$src in wyvern.icir.org; },
     $result = NOTICE_IGNORE,
     $priority = 1],

    # Connections to 2766/tcp ("Solaris listen service") appear to
    # always be actually due to P2P apps.
    [$pred(n: notice_info) =
      {
      return n$note == SensitiveConnection &&
        n$msg == /Solaris listen service/;
      },
     $result = NOTICE_FILE,
     $priority = 1],
  };

I dont see mail_notice.sh in scripts folder so right now I am not very
sure how bro is going to handle sending email notification and what this
script is intending to do.

I double-checked and it's part of the distribution:

bro-0.9a8/scripts/mail_notice.sh

It is going to parse logs periodically and grep for NOTICE_EMAIL and
take action or has some other mechanism is intended ?

It's different. The NOTICE() function will invoke email_notice() for
NOTICE_EMAIL or NOTICE_PAGE, which in turn will execute the script.

Vern

Topic		Replies	Views
bro email, cleartext passwords and snort signature Zeek	3	113	May 6, 2022
passwords.bro (inadvertently missing from 0.9a8) Zeek	1	63	May 6, 2022
question about send_email_notice Zeek	2	102	May 6, 2022
SSH brute-force email notice Zeek	11	105	May 6, 2022
Changing notice log entry actions from Action::Log to Action::Email Zeek	3	130	May 6, 2022

bro email, cleartext passwords

Related Topics