[Bro] Alarms in 2.0
Tyler T. Schoenke
tyler.schoenke at colorado.edu
Thu Apr 12 07:53:26 PDT 2012
Yes, works well when you don't misspell the sig_id. :) Thanks Justin!
Any ideas on how to make the MailAlarmsTo work?
Network Security Manager
IT Security Office
University of Colorado at Boulder
On 4/12/12 8:49 AM, Will wrote:
> On Wed, Apr 11, 2012 at 4:47 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>> On Wed, Apr 11, 2012 at 03:29:28PM -0600, Tyler T. Schoenke wrote:
>>> Two questions regarding Alarms in 2.0.
>>> First, I created a signature and wanted to reduce the frequency that it
>>> fires. Does anyone have sample code for SIG_ALARM_PER_ORIG or some
>>> other way to send out a single alarm per source IP?
>> It looks like you are supposed to do something like
>> redef Signatures::actions += [ ["sig_id"] = SIG_ALARM_PER_ORIG ];
> This worked once I added the "Signatures" module to the SIG_ALARM_PER_ORIG.
> redef Signatures::actions += [ ["sig_id"] = Signatures::SIG_ALARM_PER_ORIG ];
>> -- Justin Azoff
>> -- Network Security & Performance Analyst
>> Bro mailing list
>> bro at bro-ids.org
More information about the Bro