Bro email notice question

Scotty_Brown · March 24, 2016, 4:54am

Hi all,

I'm using Bro in Security Onion with Critical stack for intel feeds, we've alsoenabled email notices for Bro which are working well (as per https://github.com/Security-Onion-Solutions/security-onion/wiki/Email).

The email notices generated though just contain something like:

Message: Intel hit on 'some.domain' at 'DNS::IN_REQUEST'
Sub-Message: some.domain
Connection: x.x.x.x -> x.x.x.x Connection uid: aaaaa
Email Extensions

Jan · March 24, 2016, 3:14pm

Hi Scotty,

I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro

Some time ago, I adapted the do_notice.bro script to add an identifier
(for notice suppression) and also added some information (e.g. intel
source) to the mails (see
https://gist.github.com/J-Gras/c2e0853c93c0bdc74522). I hope this will
help you

Regards,
Jan

Scotty_Brown · March 29, 2016, 4:41am

Hi Jan,

Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.

Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?

Cheers,

Scotty

Jan · March 29, 2016, 4:15pm

Hi Scotty,

Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.

You are welcome! I fixed the bracket as well as the misleading
indentation of the script.

Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?

If I remember correctly, the intention of do_notice.bro was to provide
an example how the intel-framework could be used in this context. I
think the example somehow became the default. Therefore I was not sure
whether these changes would be suited for the do_notice.bro shipped with
Bro.

Regards,
Jan

Seth_Hall3 · April 3, 2016, 7:05pm

Yep, that script is really only meant as an example and it's not loaded by default in Bro. I believe that criticalstack has chosen to load that script though.

We certainly aren't against fixing up any scripts in Bro to make them more generally useful though, and from a quick skim it looks like those are totally reasonable changes which I apparently missed when I was writing that script.

.Seth

Scotty_Brown · April 3, 2016, 9:52pm

Hi Seth,

It's saved us a BUNCH of time already - just having the notice source in
the email by default.

Would def +1 having these rolled back in at some point

Cheers,

Scotty

Scotty_Brown · April 3, 2016, 9:53pm

If we are ever in the same place Jan - beers on me!

Thanks.

Scotty

Jan · April 4, 2016, 12:01pm

Hi,

If we are ever in the same place Jan - beers on me!

Thanks.

I am happy that I could help!

I have a few other small improvements for the intel-framework, which I
plan to commit. I will include the do_notice.bro once I open a pull request.

Best regards,
Jan

system · May 6, 2022, 3:43pm