[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL

Chris Crawford christopher.p.crawford at gmail.com
Wed Aug 29 13:14:56 PDT 2012

I wasn't confident that an email would fire from my bro script, so I
wanted to test it with a tracefile first.  I knew that the tracefile
contained the network conditions I was interested in, so this seemed
like a reasonable way to verify my script.  The fact that I didn't see
any email while I was testing the script led me to believe that either
I was doing something wrong, or that part of the notice framework was
broken.  Either way, I wouldn't have had much confidence that my
script was doing what I wanted it to do, so what would be the point in
using it in a live capture scenario?


On Wed, Aug 29, 2012 at 1:10 PM, Seth Hall <seth at icir.org> wrote:
> On Aug 28, 2012, at 4:22 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>> If you plan to test a new script where you expect it to send an email
>> via the Notice framework, I recommend that you send traffic that ought
>> to should trigger an email alert over the wire.
> Why are you looking to send an email while reading a tracefile?  The same notice will be in the notice.log.
> I do agree that we should output a reporter message if someone tries to send an email while reading a tracefile though, we just can't sneak that feature into 2.1 but I'll file a ticket for it.
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

More information about the Bro mailing list