[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL

Chris Crawford christopher.p.crawford at gmail.com
Tue Aug 28 15:12:20 PDT 2012

One more note:

A line like

redef Notice::mail_dest = "alert at email.com";

in a custom Bro script doesn't appear to override the value specified
by the MailTo variable set in etc/broctl.cfg .

It appears that either your email alerts from the notice framework are
sent to the value specified by MailTo, or they don't get sent out at


On Tue, Aug 28, 2012 at 4:22 PM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> I spent quite a bit of time and effort trying to figure out.  Dropping
> a note out to the community to hopefully help the next guy.
> Over in this thread
> http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005811.html
> I couldn't figure out why this script
> http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005812.html
> would not send an email alert via the Notice framework.
> I was testing the script on a small pcap file. I thought that
> debugging approach would enable me to quickly, easily, and reliably
> check to see if my new bro script was working as intended.
> Here's the problem with that development/debugging approach.  The
> first few lines in the function email_notice_to (found in
> frameworks/notice/main.bro specifically) check to see if you are
> reading traffic from a trace file, and then silently disable email
> alerting if you are.  This turned out to be very frustrating to debug.
> To confirm that my script was working as expected, I had to change the
> following lines in frameworks/notice/main.bro:
> function email_notice_to(n: Notice::Info, dest: string, extend: bool)
>         {
>        if ( reading_traces() || dest == "" )
>                return;
> to the following:
> function email_notice_to(n: Notice::Info, dest: string, extend: bool)
>         {
> #       if ( reading_traces() || dest == "" )
> #               return;
> If you plan to test a new script where you expect it to send an email
> via the Notice framework, I recommend that you send traffic that ought
> to should trigger an email alert over the wire.
> That's not a viable option for me, so commenting out the lines above
> is a better approach.
> Would also recommend that either the bro documentation make note of
> this "feature" or that the resulting notice.log print a message to
> indicate that email alerting was disabled because it isn't reading
> traffic from a live network capture.
> -Chris

More information about the Bro mailing list