Question from a beginner

Zeek
1

Hi all,

I’ve used BRO for over a year now (ver 1.5 and older). However, I’m not an advanced user. Most of my time with BRO are to access dns and http logs for analysis, and nothing fancy like writing scripts or setting up a BRO box (All of our BRO boxes were setup by someone else). Today, I decided to do something new and installed a brand new BRO 2.0 box. And let me tell you…it is day and night different from ver 1.5. Anyway, after installation, I started it up…and have no ideas where to go next… :frowning:

Here is what I’m trying to do with this setup for now: Have it detect and send email alerts on any downloads for executable/suspicious files. I remember one of our old boxes uses a script called “http-ext-identified-files.bro” for this purpose (i believe was written by Mr. Seth Hall). In the new BRO 2.0, I’ve looked around the /base/protocols/http folder and found something similar. How to I get this to work and have it email to a specified email address when a host performs download for these files? How to I get BRO to email me whenever something triggered?

Thanks much for your time,
JPN

2

Yep, that same functionality is built into Bro. My -ext scripts are no longer relevant with 2.0 since they have essentially become 2.0. :slight_smile:

We have a shorthand method for creating a notice policy (very similar to 1.5's notice policy and documented [1]) and the new notice with the same functionality is HTTP::Incorrect_File_Type. I've included a few extra notices that you might want to be notified about as well.

redef Notice::emailed_types += {
        HTTP::Incorrect_File_Type,
        HTTP::SQL_Injection_Victim,
        SSH::Interesting_Hostname_Login,
        HTTP::Malware_Hash_Registry_Match,
};

1. http://www.bro-ids.org/documentation/notice.html#processing-notices

  .Seth