Notifications from Local.bro

Damon_Rouse · May 19, 2014, 10:58pm

Hi Everyone

I’m pretty new to BRO and have a quick question about setting up alerts from Bro. Inside my Local.bro file I have the following what’s below (which works great). If I uncomment the emailed_types redef, Bro errors out after running the following sudo broctl install && sudo broctl restart. The error is: manager terminated immediately after starting; check output with “diag”

Can you only have one redef statement in the local.bro file? Or did I make a mistake somewhere?

hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
}

redef Notice::emailed_types += {

HTTP::Incorrect_File_Type,
SSH::Interesting_Hostname_Login,
HTTP::Malware_Hash_Registry_Match,
APT1::Domain_Hit,
APT1::Certificate_Hit,
APT1::File_MD5_Hit,
};

redef Notice::ignored_types += { SSL::Invalid_Server_Cert };

Thanks!

Jon_Schipp · May 20, 2014, 12:28am

Just to be sure, are you uncommenting the entire emailed_types redefinition?
You have a comment character at the beginning of the definition in your output, “# redef Notice::emailed_types +=”.

Siwek_Jon · May 20, 2014, 12:43am

More than one redef is fine. After the failed start, if you do `broctl diag`, it may give more of a clue as to what’s wrong. Can you share the output of that if you need more help interpreting the error?

- Jon

Damon_Rouse · May 20, 2014, 2:34am

Yes, I’m removing that last comment character. I’ll run and post the diag later tonight.

Thanks

Damon_Rouse · May 20, 2014, 5:39am

Here’s the output of the diag after I uncommented redef and restarted BRO. Not sure why it’s saying the HTTP::Incorrect_File_Type is an unknown identifier. Thanks for your help

Damon

sudo broctl diag
waiting for lock ..... ok
[manager]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== stderr.log
error in /nsm/bro/spool/installed-scripts-do-not-touch/site/local.bro, line 99: unknown identifier HTTP::Incorrect_File_Type, at or near "HTTP::Incorrect_File_Type"

==== stdout.log
unlimited
unlimited
unlimited

==== .cmdline
-U .status -p broctl -p broctl-live -p local -p manager local.bro broctl base/frameworks/cluster local-manager.bro broctl/auto

==== .env_vars
PATH=/opt/bro/bin:/opt/bro/share/broctl/scripts:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
BROPATH=/nsm/bro/spool/installed-scripts-do-not-touch/site::/nsm/bro/spool/installed-scripts-do-not-touch/auto:/opt/bro/share/bro:/opt/bro/share/bro/policy:/opt/bro/share/bro/site
CLUSTER_NODE=manager

==== .status
TERMINATED [atexit]

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[proxy]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-1]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-2]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-3]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-4]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-5]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-6]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-7]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth1-8]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-1]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-2]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-3]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-4]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-5]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-6]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-7]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log
[essorgso-eth2-8]

Bro 2.2
Linux 3.2.0-61-generic

==== No reporter.log

==== No stderr.log

==== No stdout.log

==== No .cmdline

==== No .env_vars

==== No .status

==== No prof.log

==== No packet_filter.log

==== No loaded_scripts.log

johanna · May 20, 2014, 5:57am

HTTP::Incorrect_File_Type was removed with an overhaul of the files framework even before 2.2, if I read the git commit log correctly. So - you probably just want to remove that one from your script.

Johanna

Damon_Rouse · May 20, 2014, 6:15am

Thanks Johanna

I’m all good now…Looks like this one was removed too (got the same error): HTTP::Malware_Hash_Registry_Match

Is there a link to all the notice types somewhere for a beginner like me?

Thanks
Damon

Seth_Hall3 · May 20, 2014, 12:17pm

I’m all good now…Looks like this one was removed too (got the same error): HTTP::Malware_Hash_Registry_Match

It was renamed because it's now generic across any file protocol. TeamCymruMalwareHashRegistry::Match

Is there a link to all the notice types somewhere for a beginner like me?

Yes. http://www.bro.org/sphinx/bro-noticeindex.html

.Seth

Damon_Rouse · May 20, 2014, 3:42pm

Thanks for the help everyone, much appreciated!

Topic		Replies	Views
Bro manager crashing Zeek	5	64	May 6, 2022
Email Notice attempt #2 Zeek	4	57	May 6, 2022
Question on "already defined (Notice::policy)" error Zeek	5	62	May 6, 2022
Changing notice log entry actions from Action::Log to Action::Email Zeek	3	66	May 6, 2022
Question about no mail from bro-2.5.4 Zeek	1	63	May 6, 2022

Notifications from Local.bro

redef Notice::emailed_types += {

Related Topics