diff --git a/doc/quickstart/index.rst b/doc/quickstart/index.rst index b506eb95c2..173373c769 100644 --- a/doc/quickstart/index.rst +++ b/doc/quickstart/index.rst @@ -234,7 +234,7 @@ is valid before installing it and then restarting the Bro instance: .. console:: [BroControl] > check - bro is ok. + bro scripts are ok. [BroControl] > install removing old policies in /usr/local/bro/spool/policy/site ... done. removing old policies in /usr/local/bro/spool/policy/auto ... done. @@ -250,15 +250,15 @@ is valid before installing it and then restarting the Bro instance: Now that the SSL notice is ignored, let's look at how to send an email on the SSH notice. The notice framework has a similar option called -``emailed_types``, but that can't differentiate between SSH servers and we -only want email for logins to certain ones. Then we come to the ``PolicyItem`` -record and ``policy`` set and realize that those are actually what get used -to implement the simple functionality of ``ignored_types`` and +``emailed_types``, but using that would generate email for all SSH servers and +we only want email for logins to certain ones. There is a ``policy`` hook +that is actually what is used to implement the simple functionality of +``ignored_types`` and ``emailed_types``, but it's extensible such that the condition and action taken on notices can be user-defined. -In ``local.bro``, let's add a new ``PolicyItem`` record to the ``policy`` set -that only takes the email action for SSH logins to a defined set of servers: +In ``local.bro``, let's define a new ``policy`` hook handler body +that takes the email action for SSH logins only for a defined set of servers: .. code:: bro @@ -276,9 +276,9 @@ that only takes the email action for SSH logins to a defined set of servers: You'll just have to trust the syntax for now, but what we've done is first declare our own variable to hold a set of watched addresses, -``watched_servers``; then added a record to the policy that will generate -an email on the condition that the predicate function evaluates to true, which -is whenever the notice type is an SSH login and the responding host stored +``watched_servers``; then added a hook handler body to the policy that will +generate an email whenever the notice type is an SSH login and the responding +host stored inside the ``Info`` record's connection field is in the set of watched servers. .. note:: Record field member access is done with the '$' character diff --git a/doc/scripting/framework_notice_shortcuts_01.bro b/doc/scripting/framework_notice_shortcuts_01.bro index cd51abd5b5..e637ce903e 100644 --- a/doc/scripting/framework_notice_shortcuts_01.bro +++ b/doc/scripting/framework_notice_shortcuts_01.bro @@ -2,7 +2,6 @@ @load base/protocols/ssh/ redef Notice::emailed_types += { - SSH::Interesting_Hostname_Login, - SSH::Login + SSH::Interesting_Hostname_Login }; diff --git a/doc/scripting/framework_notice_shortcuts_02.bro b/doc/scripting/framework_notice_shortcuts_02.bro index ac427ac8b7..a3301d138b 100644 --- a/doc/scripting/framework_notice_shortcuts_02.bro +++ b/doc/scripting/framework_notice_shortcuts_02.bro @@ -3,5 +3,4 @@ redef Notice::type_suppression_intervals += { [SSH::Interesting_Hostname_Login] = 1day, - [SSH::Login] = 12hrs, }; diff --git a/doc/scripting/index.rst b/doc/scripting/index.rst index f0e113a762..ba7e2b8d84 100644 --- a/doc/scripting/index.rst +++ b/doc/scripting/index.rst @@ -1252,8 +1252,8 @@ in the call to ``NOTICE``. .. btest-include:: ${DOC_ROOT}/scripting/framework_notice_shortcuts_01.bro -The Notice Policy shortcut above adds the ``Notice::Types`` of -SSH::Interesting_Hostname_Login and SSH::Login to the +The Notice Policy shortcut above adds the ``Notice::Type`` of +SSH::Interesting_Hostname_Login to the Notice::emailed_types set while the shortcut below alters the length of time for which those notices will be suppressed. diff --git a/scripts/base/frameworks/notice/main.bro b/scripts/base/frameworks/notice/main.bro index 8bf42a33e0..4790245de0 100644 --- a/scripts/base/frameworks/notice/main.bro +++ b/scripts/base/frameworks/notice/main.bro @@ -20,7 +20,8 @@ export { ## category along with the specific notice separating words with ## underscores and using leading capitals on each word except for ## abbreviations which are kept in all capitals. For example, - ## SSH::Login is for heuristically guessed successful SSH logins. + ## SSH::Password_Guessing is for hosts that have crossed a threshold of + ## heuristically determined failed SSH logins. type Type: enum { ## Notice reporting a count of how often a notice occurred. Tally, diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest index 0202fa3a28..7a0eaf5cb4 100644 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_01_bro.btest @@ -6,7 +6,6 @@ framework_notice_shortcuts_01.bro @load base/protocols/ssh/ redef Notice::emailed_types += { - SSH::Interesting_Hostname_Login, - SSH::Login + SSH::Interesting_Hostname_Login }; diff --git a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest index 266a2e1fbb..0e92c5ea32 100644 --- a/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest +++ b/testing/btest/doc/sphinx/include-doc_scripting_framework_notice_shortcuts_02_bro.btest @@ -7,5 +7,4 @@ framework_notice_shortcuts_02.bro redef Notice::type_suppression_intervals += { [SSH::Interesting_Hostname_Login] = 1day, - [SSH::Login] = 12hrs, };