Faster Bro Summary of Alerts

Hello Everyone,

New to bro so please bare with me, but i can’t seem to find my answer online.

Can anyone tell me / point me in the direction to setup bro to have the alert notices come in every 5-10 mins and not hourly?

I don’t want to connection summary every 5 mins, that can stay every hour, I just want to see the SSH password guessing faster.

This will send you an email each time the notice happens:

  redef Notice::emailed_types += { SSH::Password_Guessing };

  .Seth

Add this field to any notice interval you’d like to change:

$suppress_for=

By default notices are suppressed for one hour, but it can be overridden with the line above. In practice that would look like …

NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$src=key$host,
$suppress_for=5mins,

$identifier=cat(key$host)]);

-Josh