Changing notice log entry actions from Action::Log to Action::Email

Zeek
1

Hi,

In searching previous Bro posts, I’m still not able to understand how to get Bro to email certain notice types as opposed to just creating log entries.

My local.bro file contains the following:

redef Notice::emailed_types += {
TeamCymruMalwareHashRegistry::Match,
Intel::Notice,
Intel::DOMAIN,
Intel::CERT_HASH,
Intel::FILE_HASH,
};
redef Notice::type_suppression_intervals += {
[TeamCymruMalwareHashRegistry::Match] = 1hr,
[Intel::Notice] = 1hr,
[Intel::DOMAIN] = 1hr,
[Intel::CERT_HASH] = 1hr,
[Intel::FILE_HASH] = 1hr,
};

Based on this, I’m assuming I would be receiving a summary of all the defined Notice::emailed_types every hour by email. Instead, I’m only receiving Connection Summaries, [Bro] Crash reports, and PacketFilter::Dropped_Packets.

If I open my notice.log I see the following:

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2017-04-25-16-00-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src
dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_locat
ion.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum]
interval bool string string string double double
1493150418.640398 - - - - - - - - - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be guessing SSH pass
words (seen in 41 connections). Sampled servers: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX - -

  • worker-2-9 Notice::ACTION_LOG 3600.000000 F - - - - -
    1493150706.509497 - - - - - - - - - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be guessing SSH passw
    ords (seen in 34 connections). Sampled servers: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX - -
  • worker-2-3 Notice::ACTION_LOG 3600.000000 F - - - - -
    1493150707.543255 - - - - - - - - - HTTP::SQL_Injection_Attacker An SQL injection attacker was discover
    ed! - XXX.XXX.XXX.XXX - - - worker-1-11 Notice::ACTION_LOG 3600.000000 F - - - - -
    1493151025.415982 - - - - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an es
    timated loss rate above 24.664% - - - - - worker-2-6 Notice::ACTION_LOG 3600.000000 F - - - -
2

Hi,

In searching previous Bro posts, I'm still not able to understand how to get Bro to email certain notice types as opposed to just creating log entries.

My local.bro file contains the following:

redef Notice::emailed_types += {
  TeamCymruMalwareHashRegistry::Match,
  Intel::Notice,
  Intel::DOMAIN,
  Intel::CERT_HASH,
  Intel::FILE_HASH,
};

...

For these entries, where or what file do I change specific Notice::Types from Notice::ACTION_LOG to Notice::ACTION_EMAIL?

The Notice::emailed_types that is in your local.bro that you included in your email.

If you want to get emailed about SSH::Password_Guessing then it should be in the emailed_types set.

https://www.bro.org/sphinx/frameworks/notice.html#notice-policy-shortcuts

3

Ah, got it. Thanks Justin.