Hi,
Is there a good way to process all Notices without having any effect on
the Notices? Something like "event new_notice(n: Notice::Info)" would be
great.
(I'm trying to write a script to correlate multiple Notices and modify
firewall rules as appropriate.)
[Not sure if my previous reply went through - resending]
Hello David:
I have a very simple script which counts number of notices per source and generates another notice. The new notice can be escalation to a different action (Action::EMAIL or ACTION::DROP etc).
Consider this version 0.1 but you will get a good idea from this. I want to include another threshold for generating a notice if N distinct notice_types per source are seen. Additionally, such heuristics can be extended further.
Policy file attached.
Aashish
notice_count.bro (1.75 KB)
[Not sure if my previous reply went through - resending]
Hello David:
I have a very simple script which counts number of notices per source
and
generates another notice. The new notice can be escalation to a
different
action (Action::EMAIL or ACTION::DROP etc).
Consider this version 0.1 but you will get a good idea from this. I
want
to include another threshold for generating a notice if N distinct
notice_types per source are seen. Additionally, such heuristics can be
extended further.Policy file attached.
Aashish
Thanks!