Package: base/frameworks/notice

The notice framework enables Bro to “notice” things which are odd or potentially bad, leaving it to the local configuration to define which of them are actionable. This decoupling of detection and reporting allows Bro to be customized to the different needs that sites have.

base/frameworks/notice/__load__.bro

base/frameworks/notice/main.bro

This is the notice framework which enables Bro to “notice” things which are odd or potentially bad. Decisions of the meaning of various notices need to be done per site because Bro does not ship with assumptions about what is bad activity for sites. More extensive documentation about using the notice framework can be found in Notice Framework.

base/frameworks/notice/weird.bro

This script provides a default set of actions to take for “weird activity” events generated from Bro’s event engine. Weird activity is defined as unusual or exceptional activity that can indicate malformed connections, traffic that doesn’t conform to a particular protocol, malfunctioning or misconfigured hardware, or even an attacker attempting to avoid/confuse a sensor. Without context, it’s hard to judge whether a particular category of weird activity is interesting, but this script provides a starting point for the user.

base/frameworks/notice/actions/drop.bro

This script extends the built in notice code to implement the IP address dropping functionality.

base/frameworks/notice/actions/email_admin.bro

Adds a new notice action type which can be used to email notices to the administrators of a particular address space as set by Site::local_admins if the notice contains a source or destination address that lies within their space.

base/frameworks/notice/actions/page.bro

Allows configuration of a pager email address to which notices can be sent.

base/frameworks/notice/actions/add-geodata.bro

This script adds geographic location data to notices for the “remote” host in a connection. It does make the assumption that one of the addresses in a connection is “local” and one is “remote” which is probably a safe assumption to make in most cases. If both addresses are remote, it will use the $src address.

base/frameworks/notice/extend-email/hostnames.bro

Loading this script extends the Notice::ACTION_EMAIL action by appending to the email the hostnames associated with Notice::Info’s src and dst fields as determined by a DNS lookup.

base/frameworks/notice/non-cluster.bro

base/frameworks/notice/actions/pp-alarms.bro

Notice extension that mails out a pretty-printed version of alarm.log in regular intervals, formatted for better human readability. If activated, that replaces the default summary mail having the raw log output.

Copyright 2016, The Bro Project. Last updated on December 07, 2018. Created using Sphinx 1.8.2.