[Bro] re: Alternative from addresses in emails (diff output, and fixed)

Mcclelland-Bane, Randy rmcclel at sandia.gov
Wed Jul 27 19:18:23 PDT 2005


See below for diff -u output. This is based on the development branch
0.9a9. The last message I sent had a bug where the "To:" address wasn't
set so sometimes the messages arrived to "Undisclosed recipients." That
is fixed now.

These will be helpful for those of you who want a configurable FROM:
address, or the ability to send a mix of encrypted/plaintext reports.

The first patch converts the bro report/notice mailing scripts and
config file to use sendmail instead of mail. This allows the
configuration of BRO_EMAIL_FROM in bro.cfg, which specifies the From:
address on outgoing messages.

The second patch expands on the first patch slightly and adds in a failover 
mode in the mail_reports.sh script which will send plaintext if the gpg process fails.
I put this in so that you could have some copies of the reports encrypted if you had the
public key for the recipient, and leave others in plaintext if the key did not exist. 
There should be a more elegant way to check if public key exists and do the checking that 
way. Right now I'm just basing it off the process failing, but it should do key checking.

* Be very careful with the second patch one as you could be sending plaintext when you 
don't wish it if you have errors with gpg keys, etc. *

You can add in the second patch on top of the first one, but don't try it by itself.

To apply either of these do:
cd /path/to/bro-tar-unpacked/scripts
patch < patchfile

Cheers,

Randy

## BEGIN FIRST PATCH

--- bro.cfg.example     2004-12-03 09:37:44.000000000 -0800
+++ ../../BRO/bro.cfg.example   2005-07-26 14:47:56.000000000 -0700
@@ -106,6 +106,9 @@
 # Email address for local reports to be mailed to
 BRO_EMAIL_LOCAL="bro at localhost"

+# Email address to send from
+BRO_EMAIL_FROM="bro at localhost"
+
 # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
 BRO_EMAIL_EXTERNAL="NO"

--- bro_config.in       2005-02-09 00:22:02.000000000 -0800
+++ ../../BRO/bro_config.in     2005-07-26 14:47:56.000000000 -0700
@@ -334,6 +334,9 @@
 # Email address for local reports to be mailed to
 BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}"

+# Email address to send from
+BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}"
+
 # Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
 BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}"
 export BRO_EMAIL_EXTERNAL
--- mail_notice.sh      2004-12-17 15:03:47.000000000 -0800
+++ ../../BRO/mail_notice.sh    2005-07-27 16:59:55.000000000 -0700
@@ -2,5 +2,26 @@
 #
 # This is a sample script to provide basic email notification for
 # notices marked NOTICE_EMAIL .
+# Usage: mail_notice "subject" recipient (optional config path)

-mail -s "Bro alarm: $1" $2
+notice="/tmp/bro.notice.$$"
+
+# Clean up after ourselves
+trap "rm -f $notice; exit" 1 2 15
+
+# where are we located
+base=`dirname $0`
+
+#set up the environment
+if [ $3 ] ; then
+   . $3
+else
+   . $base/../etc/bro.cfg
+fi
+
+echo "From:<$BRO_EMAIL_FROM>" > $notice
+echo "To:<$2>" >> $notice
+echo "Subject: Bro alarm: $1" >> $notice
+
+cat $notice | sendmail -oi -f $BRO_EMAIL_FROM $2
+rm -f $notice
--- mail_reports.sh     2004-12-09 15:26:19.000000000 -0800
+++ ../../BRO/mail_reports.sh   2005-07-27 18:40:41.000000000 -0700
@@ -6,8 +6,12 @@
 #
 # Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg)

+gpg_error=""
+sent_message=""
+tmp_file="/tmp/bro.report.$$"
+
 # Clean up after ourselves
-trap "rm /tmp/bro.report.$$; exit" 1 2 15
+trap "rm $tmp_file; exit" 1 2 15

 # where are we located
 base=`dirname $0`
@@ -23,25 +27,40 @@
 report=`ls -1t $BRO_REPORT_DIR/local/$BRO_SITE_NAME*.rpt | head -1`
 report_interval=`grep Report $report | awk '{print $6,"-",$9}'`

+# set up temporary report with subject line embedded
+report_subject="Subject: $BRO_HOSTNAME Report: $report_interval"
+
 # and email it
 # if encrypted make sure we have a good (gpg) bin  and keys
 if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then
     if [ -x $BRO_GPG_BIN ] ; then
-        for recpt in $BRO_EMAIL_LOCAL ;  do
-            cat $report | $BRO_GPG_BIN --yes -ea -r $recpt|mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt
+        for recpt in $BRO_EMAIL_LOCAL ;  do
+            echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+            echo "To: <$recpt>" >> $tmp_file
+            echo "$report_subject" >> $tmp_file
+            cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
+            cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
         done
+        sent_message="1"
+        rm $tmp_file
     else
-        echo "Invalid gpg bin $BRO_GPG_BIN" > /tmp/bro.report.$$
+        gpg_error="1"
     fi
-else # not ENCRYPTED
-    cat $report > /tmp/bro.report.$$
 fi

 # if there was an error or we are sending unencrypted ...
-if [ -r /tmp/bro.report.$$ ] ; then
+if [ -z $sent_message ] ; then
     for recpt in $BRO_EMAIL_LOCAL ;  do
-         cat /tmp/bro.report.$$ | mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt
+        echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+        echo "To: <$recpt>" >> $tmp_file
+        echo "$report_subject" >> $tmp_file
+        cat $report >> $tmp_file
+        if [ $gpg_error ] ; then
+            echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file
+        fi
+        cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
     done
-    rm  /tmp/bro.report.$$
+    rm  $tmp_file
 fi
 exit 0
+




## BEGIN SECOND PATCH

--- mail_reports.sh     2005-07-27 18:40:41.000000000 -0700
+++ mail_reportsMIX.sh  2005-07-27 18:40:29.000000000 -0700
@@ -39,6 +39,13 @@
             echo "To: <$recpt>" >> $tmp_file
             echo "$report_subject" >> $tmp_file
             cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
+            # If the encryption fails, send it unencrypted
+            if [ $? -ne 0 ] ; then
+                echo "From:<$BRO_EMAIL_FROM>" > $tmp_file
+                echo "To: <$recpt>" >> $tmp_file
+                echo "$report_subject" >> $tmp_file
+                cat $report >> $tmp_file
+            fi
             cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
         done
         sent_message="1"




More information about the Bro mailing list