[Bro] question about send_email_notice

Matt Cuttler mcuttler at bnl.gov
Tue Feb 20 11:53:45 PST 2007

Bro users and developers,

We have modified our notice action filters; some notices/alerts get sent
via email (while others only get logged to file_notice).

A small snippet:

redef notice_action_filters += {
 [[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice,

redef notice_action_filters += {
 [[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] =

My question is: Is it easily possible to place additional information in
the email notices themselves?

For example, an AddressScan mail might simply say, " has
scanned 100 hosts (45653/tcp)". It would save a log of analyst time
("grep time" if you will) if the mail included the hosts which were
considered scanned by Bro.

Matt Cuttler

More information about the Bro mailing list