[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL

Chris Crawford christopher.p.crawford at gmail.com
Tue Aug 28 15:12:20 PDT 2012


One more note:

A line like

redef Notice::mail_dest = "alert at email.com";

in a custom Bro script doesn't appear to override the value specified
by the MailTo variable set in etc/broctl.cfg .

It appears that either your email alerts from the notice framework are
sent to the value specified by MailTo, or they don't get sent out at
all.

-Chris

On Tue, Aug 28, 2012 at 4:22 PM, Chris Crawford
<christopher.p.crawford at gmail.com> wrote:
> I spent quite a bit of time and effort trying to figure out.  Dropping
> a note out to the community to hopefully help the next guy.
>
> Over in this thread
> http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005811.html
>
> I couldn't figure out why this script
> http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005812.html
>
> would not send an email alert via the Notice framework.
>
> I was testing the script on a small pcap file. I thought that
> debugging approach would enable me to quickly, easily, and reliably
> check to see if my new bro script was working as intended.
>
> Here's the problem with that development/debugging approach.  The
> first few lines in the function email_notice_to (found in
> frameworks/notice/main.bro specifically) check to see if you are
> reading traffic from a trace file, and then silently disable email
> alerting if you are.  This turned out to be very frustrating to debug.
>
> To confirm that my script was working as expected, I had to change the
> following lines in frameworks/notice/main.bro:
>
> function email_notice_to(n: Notice::Info, dest: string, extend: bool)
>         {
>        if ( reading_traces() || dest == "" )
>                return;
>
> to the following:
>
> function email_notice_to(n: Notice::Info, dest: string, extend: bool)
>         {
> #       if ( reading_traces() || dest == "" )
> #               return;
>
> If you plan to test a new script where you expect it to send an email
> via the Notice framework, I recommend that you send traffic that ought
> to should trigger an email alert over the wire.
>
> That's not a viable option for me, so commenting out the lines above
> is a better approach.
>
> Would also recommend that either the bro documentation make note of
> this "feature" or that the resulting notice.log print a message to
> indicate that email alerting was disabled because it isn't reading
> traffic from a live network capture.
>
> -Chris



More information about the Bro mailing list