Hi all,
I'm using Bro in Security Onion with Critical stack for intel feeds, we've alsoenabled email notices for Bro which are working well (as per https://github.com/Security-Onion-Solutions/security-onion/wiki/Email).
The email notices generated though just contain something like:
Message: Intel hit on 'some.domain' at 'DNS::IN_REQUEST'
Sub-Message: some.domain
Connection: x.x.x.x -> x.x.x.x Connection uid: aaaaa
Email Extensions
Hi Scotty,
I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro
Some time ago, I adapted the do_notice.bro script to add an identifier
(for notice suppression) and also added some information (e.g. intel
source) to the mails (see
Extends the original do_notice.bro to add an identifier to the notices. · GitHub). I hope this will
help you 
Regards,
Jan
Hi Jan,
Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.
Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?
Cheers,
Scotty
Hi Scotty,
Thank you! This is exactly what I was after. I did have to add a
missing closing bracket ) to line 39.
You are welcome! I fixed the bracket as well as the misleading
indentation of the script.
Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?
If I remember correctly, the intention of do_notice.bro was to provide
an example how the intel-framework could be used in this context. I
think the example somehow became the default. Therefore I was not sure
whether these changes would be suited for the do_notice.bro shipped with
Bro.
Regards,
Jan
Yep, that script is really only meant as an example and it's not loaded by default in Bro. I believe that criticalstack has chosen to load that script though.
We certainly aren't against fixing up any scripts in Bro to make them more generally useful though, and from a quick skim it looks like those are totally reasonable changes which I apparently missed when I was writing that script.
.Seth
Hi Seth,
It's saved us a BUNCH of time already - just having the notice source in
the email by default.
Would def +1 having these rolled back in at some point 
Cheers,
Scotty
If we are ever in the same place Jan - beers on me!
Thanks.
Scotty
Hi,
If we are ever in the same place Jan - beers on me!
Thanks.
I am happy that I could help!
I have a few other small improvements for the intel-framework, which I
plan to commit. I will include the do_notice.bro once I open a pull request.
Best regards,
Jan