Bro email notice question

Hi all,

I'm using Bro in Security Onion with Critical stack for intel feeds, we've alsoenabled email notices for Bro which are working well (as per https://github.com/Security-Onion-Solutions/security-onion/wiki/Email).

The email notices generated though just contain something like:

Message: Intel hit on 'some.domain' at 'DNS::IN_REQUEST'
Sub-Message: some.domain
Connection: x.x.x.x -> x.x.x.x Connection uid: aaaaa
Email Extensions

Hi Scotty,

I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro

Some time ago, I adapted the do_notice.bro script to add an identifier
(for notice suppression) and also added some information (e.g. intel
source) to the mails (see
https://gist.github.com/J-Gras/c2e0853c93c0bdc74522). I hope this will
help you :slight_smile:

Regards,
Jan

Hi Jan,

Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.

Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?

Cheers,

Scotty

Hi Scotty,

Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.

You are welcome! I fixed the bracket as well as the misleading
indentation of the script.

Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?

If I remember correctly, the intention of do_notice.bro was to provide
an example how the intel-framework could be used in this context. I
think the example somehow became the default. Therefore I was not sure
whether these changes would be suited for the do_notice.bro shipped with
Bro.

Regards,
Jan

Yep, that script is really only meant as an example and it's not loaded by default in Bro. I believe that criticalstack has chosen to load that script though.

We certainly aren't against fixing up any scripts in Bro to make them more generally useful though, and from a quick skim it looks like those are totally reasonable changes which I apparently missed when I was writing that script.

  .Seth

Hi Seth,

It's saved us a BUNCH of time already - just having the notice source in
the email by default.

Would def +1 having these rolled back in at some point :slight_smile:

Cheers,

Scotty

If we are ever in the same place Jan - beers on me!

Thanks.

Scotty

Hi,

If we are ever in the same place Jan - beers on me!

Thanks.

I am happy that I could help! :slight_smile:

I have a few other small improvements for the intel-framework, which I
plan to commit. I will include the do_notice.bro once I open a pull request.

Best regards,
Jan