Hello Everyone,
New to bro so please bare with me, but i can’t seem to find my answer online.
Can anyone tell me / point me in the direction to setup bro to have the alert notices come in every 5-10 mins and not hourly?
I don’t want to connection summary every 5 mins, that can stay every hour, I just want to see the SSH password guessing faster.
This will send you an email each time the notice happens:
redef Notice::emailed_types += { SSH::Password_Guessing };
.Seth
Add this field to any notice interval you’d like to change:
$suppress_for=
By default notices are suppressed for one hour, but it can be overridden with the line above. In practice that would look like …
NOTICE([$note=Password_Guessing,
$msg=fmt("%s appears to be guessing SSH passwords (seen in %d connections).", key$host, r$num),
$src=key$host,
$suppress_for=5mins,
$identifier=cat(key$host)]);
-Josh