I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap). I looked into the notice framework section on the webpage and am getting an error: “error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near “Virus_Total_Alert” “. Line 117 is the “Notice::ACTION_EMAIL” line.
hook Notice::policy(n: Notice::Info)
{
if ( n?$conn && n$conn?$http && n$conn$http?$host )
n$email_body_sections[|n$email_body_sections|] = fmt(“Virus_Total_Alert header: %s”, n$conn$http$host);
}
Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
$msg=fmt(“Detected potential virus effecting computer.”, key$host, r$num),
$src=key$host,
$identifier=cat(key$host)]);
Thanks,
Andrew Dellana
Andrew,
I'd say everyone sets up this differently. (there are quite a few ways).
Here is one simple manner in which you can escalate a notice to be also emailed. I'd first simply generate a notice like this in relevant policy:
local msg=fmt("Detected potential virus effecting computer.", key$host, r$num);
NOTICE([$note=Virus_Total_Alert, $msg=msg, $src=key$host, $identifier=cat(key$host)]);
Then,
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Virus_Total_Alert)
{ add n$actions[Notice::ACTION_EMAIL];}
}
Hope this helps,
Aashish
Thanks Aashish!
I added it in and ran the script but now it dislikes the 'key$host' in the first line. (unknown identifier key, at or near "key")
Thanks,
Andrew Dellana
oh my bad, I didn't quite read
local msg=fmt("Detected potential virus effecting computer.", key$host, r$num);
it should be:
local msg=fmt("Detected potential virus effecting computer: %s, %s", key$host, r$num);
This 2nd part is a common use case and is also built into the default notice::policy as
if ( n$note in Notice::emailed_types )
add n$actions[ACTION_EMAIL];
so all you need in your scripts is
redef Notice::emailed_types += {
Virus_Total_Alert
};