Hello all, trying to learn bro scripting. I am working through the exercises from the 2011 workshop and I’m getting an error.
I’m on this page: https://www.bro.org/bro-workshop-2011/exercises/notices/index.html
I’m on Pt3 More Advanced Policy Notice running this script:
const watched_servers: set[addr] = {
172.16.238.136,
172.16.238.168,
} &redef;
redef Notice::policy += {
[$action = Notice::ACTION_ALARM,
$pred(n: Notice::Info) =
{
return n$note == SSH::Login && n$id$resp_h in watched_servers;
}
]
};
And I'm getting an error that says
#bro -r ssh.pcap local advancebro.bro
error in ./advancebro.bro, line 10: unknown identifier SSH::Login, at or near "SSH::Login"
seth
August 3, 2017, 1:54am
2
Sorry that code is out of date! Quite a few years have passed since
Have you look at the exercises on http://try.bro.org/ ?
.Seth
I’m trying to do several things. My main goal is to learn how to script so I can build notices and alerts based on threats specific to my environment.
Right now, I’m trying to figure out how to get bro to send an email when it generates a notice.
I’ve been looking at this page:
https://www.bro.org/sphinx-git/frameworks/notice.html
and this page:
https://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.bro.html
and this email from the archive:
http://mailman.icsi.berkeley.edu/pipermail/bro/2014-October/007621.html
and this reference from a google search:
https://books.google.com/books?id=TTIDAQAAQBAJ&pg=PA283&lpg=PA283&dq=Notice::mail_dest&source=bl&ots=Uw_GRZCI2Q&sig=lzDZWVnDNdfIuFaRP16OWgXvk-4&hl=en&sa=X&ved=0ahUKEwinzbCT97nVAhUC7IMKHaBzDjkQ6AEIPTAE
But my attempt at putting all of that together using the example script from the aforementioned 2011 exercise isn’t working…
#redef Notice::alarmed_types += {#SSH::Password_Guessing
redef Notice::mail_dest = “reswob10@gmail.com ”;
hook Notice::policy(n: Notice::Info)
Any direction you can provide would be helpful.
And yes, I’ve gone through most of those exercises at try.bro.org , but they don’t cover how to send notices via email.
Thanks.
Craig
