OK, I’ve been continuing to work at this and I found Scott Runnell’s most excellent blog posts and I’ve been following part #3.
http://ryesecurity.blogspot.com/2012/05/learning-bro-scripting-language.html
Now I know that bro has updated a lot since then, but I think I’ve got the syntax right. However, while the code works and I get one notice in my notice.log, I’m not getting an emailed alert.
What am I still missing?
Thanks.
OK, further refinement:
I’ve been going over the documentation for notices and raising alerts and googling and I think I’ve got the right code syntax, but I still am not getting emailed alerts.
I configured the following line in /usr/local/bro/share/bro/base/frameworks/notice/main.bro
const mail_dest = “reswob10@gmail.com” &redef;
And here is my script:
module HTTP;
export {
redef enum Notice::Type += {
HTTP::Basic_Auth_Server
};
}
redef Notice::mail_dest = “reswob10@gmail.com”;
hook Notice::policy(n: Notice::Info) {
if (n$note == HTTP::Basic_Auth_Server)
print n$note;
add n$actions[Notice::ACTION_EMAIL];
}
event http_header(c: connection, is_orig: bool, name: string, value: string)
{
if (/AUTHORIZATION/ in name && /Basic/ in value)
{
NOTICE([$note=HTTP::Basic_Auth_Server,
$identifier=cat(c$id$resp_h, c$id$resp_p),
$suppress_for=1day,
$conn=c
]);
}
}
When I run the script against a local pcap with HTTP basic auth traffic, I get the printed line:
root@raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro
HTTP::Basic_Auth_Server
But I never get the emailed alert.
I AM getting hourly Connection Summary emails so I know bro can send email to my gmail address. Would the alerts be included inside those emails?
Could you please provide any tips/suggestions/corrections/rebukes for what I’m doing? Are there other configurations I missed? Is there a general log for bro that can show an error if it’s trying to send email but it can’t?
Thanks.
OK, further refinement:
I've been going over the documentation for notices and raising alerts and googling and I think I've got the right code syntax, but I still am not getting emailed alerts.
I configured the following line in /usr/local/bro/share/bro/base/frameworks/notice/main.bro
const mail_dest = "reswob10@gmail.com" &redef;
Do not modify the scripts that are shipped with bro. This setting is best configured by using the MailTo setting in the broctl.cfg
hook Notice::policy(n: Notice::Info) {
if (n$note == HTTP::Basic_Auth_Server)
print n$note;
add n$actions[Notice::ACTION_EMAIL];
}
You're missing a set of braces here and this block is really
hook Notice::policy(n: Notice::Info) {
if (n$note == HTTP::Basic_Auth_Server)
print n$note;
add n$actions[Notice::ACTION_EMAIL];
}
You should use simply the
redef Notice::emailed_types += { HTTP::Basic_Auth_Server };
that you had before.
When I run the script against a local pcap with HTTP basic auth traffic, I get the printed line:
root@raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro
HTTP::Basic_Auth_ServerBut I never get the emailed alert.
Bro does not send email when running against a pcap file.
Could you please provide any tips/suggestions/corrections/rebukes for what I'm doing? Are there other configurations I missed? Is there a general log for bro that can show an error if it's trying to send email but it can't?
Look at the notice.log. If the actions column contains Notice::ACTION_EMAIL then the script is trying to email the notice. If you did not receive the email then look at stderr.log and the system wide mail log.
Thanks for the tips, thanks for your patience.
I got the email to work.