Hi All,
Using CIF with my bro install (checked out from git). I've got the
following in my local.bro:
@load frameworks/intel/seen
@load frameworks/intel/do_notice
@load policy/integration/collective-intel
redef Intel::read_files += {
"/usr/local/bro/share/bro/site/infrastructure_scan.intel",
"/usr/local/bro/share/bro/site/domain_botnet.intel",
};
redef Notice::emailed_types += {
Intel::Notice,
};
redef Notice::type_suppression_intervals += {
[Intel::Notice] = 1day,
};
I see hits in my intel.log files but I don't get emails about this. Am I
missing something? I'd taken this directly from the bro blog.
Cheers,
Harry
By default, notices are not generated for intel hits. There is a script that we ship with Bro that gives you the ability to turn intel hits into notices based on a field in the intel data (more information can be found here: https://www.bro.org/bro-exchange-2013/exercises/intel.html). If you have a solid idea of how you'd like things to work best for you, please let me know. There are many ways we could make this work. 
.Seth
Thanks, Seth.
So, I think ideally I'd like to be able to alert not solely upon
connection but upon a conversation as determined either at the app level
or a combination of other flow criteria that might indicate more then
just a scan is happening.
In a large, open, network getting hits from scans is less useful then it
might be in other environments.
I'll have a read over the tutorial and see where that gets me... Likely
more questions to follow
Cheers,
Harry