Hello all,
I am standing up what will become my first production Bro server. I am most interested in the Intel Framework and alerting on Intel hits and sending those alerts to the team.
So far in testing the Intel framework is working great and the hits are going to the notice.log per the exercise from the 2013 exchange ( I have about 28k domain names in there and it seems to be working great).
The problem I am having is sending email alerts from the notices. If I append the following into local.bro (from the post http://mailman.icsi.berkeley.edu/pipermail/bro/2013-December/007185.html) then it seems to kill the intel hits (none to notices and no intel.log generated).
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_ALARM];
}
If this section of code comes before the intel framework section, then the intel hits function fine, but I get no emails.
My broscripting talents are still in development (i.e. I am not very good at it), but it seems like I am overwriting a variable (n) since it is used for the notice script and in do_notice. Or I may be completely wrong - I admit I have much to learn.
Has anyone else scripted emailing Intel hits out to the the team and could point me in the right direction? Ideally I want the intel hits to go to notice.log and email out anything that goes to notices.
My section for the Intel Framework in local.bro is the following:
@load policy/frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
“/usr/local/bro/share/bro/site/file1.dat”,
“/usr/local/bro/share/bro/site/file2.dat”,
“/usr/local/bro/share/bro/site/file3.dat”,
};
Best Regards,
Derek
