[Bro] bro alerts over email
vern at icir.org
Sun Mar 20 23:41:23 PST 2005
> 1) I am unable to redefine variables sensitive_URIs
> (policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
> policy file.
These are declared inside module scope, so you need <module>::<variable>
to access them. For example:
redef HTTP::sensitive_URIs += /rootdown.pl/;
> 2B) local action = notice_action_filters[n$note](n)
> gives the following error in info.log file and bro stops :
Oops, a bug. Patch appended.
> in my site-policy file for getting email/page alert. If I understand it
> correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
> to get bro generate an alert and then declare that particular alert
> using the above $pred config in my site policy file. Right ?
> Since this could lead to lot of $pred declearations, Is it possible to
> have a formation like following for similar category of alerts :
> /usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
> (/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
> boolean operands
One of the changes already in place for the next release is use of "||"
and "&&" for combining patterns, for exactly this sort of reason.
diff -Lpolicy/notice.bro -Lpolicy/notice.bro -u -r1.14 -r1.15
@@ -181,13 +181,11 @@
-function email_notice(n: notice_info)
+function email_notice(n: notice_info, action: NoticeAction)
if ( ! reading_live_traffic() || mail_dest == "" )
- local action = notice_action_filters[n$note](n);
# Choose destination address based on action type.
local destination = (action == NOTICE_EMAIL) ?
mail_dest : mail_page_dest;
@@ -311,7 +309,7 @@
if ( action != NOTICE_FILE )
if ( action == NOTICE_EMAIL || action == NOTICE_PAGE )
+ email_notice(n, action);
if ( use_tagging )
More information about the Bro