Hi,
In searching previous Bro posts, I’m still not able to understand how to get Bro to email certain notice types as opposed to just creating log entries.
My local.bro file contains the following:
redef Notice::emailed_types += {
TeamCymruMalwareHashRegistry::Match,
Intel::Notice,
Intel::DOMAIN,
Intel::CERT_HASH,
Intel::FILE_HASH,
};
redef Notice::type_suppression_intervals += {
[TeamCymruMalwareHashRegistry::Match] = 1hr,
[Intel::Notice] = 1hr,
[Intel::DOMAIN] = 1hr,
[Intel::CERT_HASH] = 1hr,
[Intel::FILE_HASH] = 1hr,
};
Based on this, I’m assuming I would be receiving a summary of all the defined Notice::emailed_types every hour by email. Instead, I’m only receiving Connection Summaries, [Bro] Crash reports, and PacketFilter::Dropped_Packets.
If I open my notice.log I see the following:
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2017-04-25-16-00-22
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src
dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_locat
ion.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum]
interval bool string string string double double
1493150418.640398 - - - - - - - - - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be guessing SSH pass
words (seen in 41 connections). Sampled servers: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX - -
- worker-2-9 Notice::ACTION_LOG 3600.000000 F - - - - -
1493150706.509497 - - - - - - - - - SSH::Password_Guessing XXX.XXX.XXX.XXX appears to be guessing SSH passw
ords (seen in 34 connections). Sampled servers: XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX, XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX - - - worker-2-3 Notice::ACTION_LOG 3600.000000 F - - - - -
1493150707.543255 - - - - - - - - - HTTP::SQL_Injection_Attacker An SQL injection attacker was discover
ed! - XXX.XXX.XXX.XXX - - - worker-1-11 Notice::ACTION_LOG 3600.000000 F - - - - -
1493151025.415982 - - - - - - - - - CaptureLoss::Too_Much_Loss The capture loss script detected an es
timated loss rate above 24.664% - - - - - worker-2-6 Notice::ACTION_LOG 3600.000000 F - - - -