Hello,
Is there a way to customize/add items that are e-mailed as a part of the BRO hourly connection summary reports? I would like to add geoip lookups for example?
Thank You,
Konrad
frameworks/notice/actions/add-geodata.bro does this.
you just need to do something like:
redef Notice::lookup_location_types += {
HTTP::MD5,
HTTP::Incorrect_File_Type,
HTTP::IncorrectFileTypeBadHost,
HTTP::Sensitive_URI,
HTTP::ResetConnection,
};
or write a notice hook that adds ACTION_ADD_GEODATA to all notices.
which means taking this:
hook policy(n: Notice::Info) &priority=10
{
if ( n$note in Notice::lookup_location_types )
add n$actions[ACTION_ADD_GEODATA];
}
and adding one of your own like
hook policy(n: Notice::Info) &priority=10
{
add n$actions[ACTION_ADD_GEODATA];
}
Thanks Justin.
I am a newbie to BRO. Where would I put that code? Would that be a separate
script which would need to be loaded in local.bro?
Yep.. You could add the lines directly to local.bro but that gets messy
fast. I would make a 'notice-locations.bro' in the site directory what
contains the location specific tweaks, then add a simple
@load notice-locations
in local.bro