Hi, i’m writing a bro script to generate telnet.log, as showing in attachment. But when i simulate several remote telnet login actions, bro could’t record all the login actions completely, lost nearly half. And if i run this script with PCAPs, it tuns out to be normal. Thanks for read my letter.
main.bro (2.95 KB)
Hello,
I want bro to send email when a note is seen.
I try adding these to local.bro :
redef Notice::emailed_types += {
Address_Scan,
Port_Scan,
};
hook Notice::policy(n: Notice::Info)
{
if (n$note in Notice::emailed_types)
add n$actions[Notice::ACTION_EMAIL];
}
Or this
hook Notice::policy(n: Notice::Info)
{
if (n$note == Address_Scan)
add n$actions[Notice::ACTION_EMAIL];
}
But when I do broctl check I have this error :
error in /usr/local/bro/share/bro/site/local.bro, line 13: unknown identifier Address_Scan, at or near "Address_Scan"
The script policy/misc/scan.bro is well loaded.
Thanks a lot !
Nicolas.
Replace Address_Scan with Scan::Address_Scan and Port_Scan with Scan::Port_Scan and try again. You have to identify the module that those names are in.
Thanks, but what are you meaning by identify the module that those names are in ?
I changed the Address_Scan by Scan::Address_Scan, but same…
I added “module Scan;” in local.bro but same error.
When I add this directly in scan.bro, it works, but it is not advisable…
hook Notice::policy(n: Notice::Info)
{
if (n$note == Address_Scan)
add n$actions[Notice::ACTION_EMAIL];
}
Ok, I found the solution, I added in my local.bro :
@load misc/scan
with the code :
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Scan::Address_Scan || n$note == Scan::Port_Scan )
add n$actions[Notice::ACTION_EMAIL];
}
and it works fine.
Thank you,
Nicolas.
I can’t speak to why you’re only seeing some of the messages unless you’re using a pcap. However, I’m curious what version of Bro you’re running. I believe the telnet analyzer was removed prior to 2.x precisely because it was inaccurate.
-Dop