[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL

Chris Crawford christopher.p.crawford at gmail.com
Wed Aug 29 13:14:56 PDT 2012


I wasn't confident that an email would fire from my bro script, so I
wanted to test it with a tracefile first.  I knew that the tracefile
contained the network conditions I was interested in, so this seemed
like a reasonable way to verify my script.  The fact that I didn't see
any email while I was testing the script led me to believe that either
I was doing something wrong, or that part of the notice framework was
broken.  Either way, I wouldn't have had much confidence that my
script was doing what I wanted it to do, so what would be the point in
using it in a live capture scenario?

-Chris

On Wed, Aug 29, 2012 at 1:10 PM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 28, 2012, at 4:22 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>
>> If you plan to test a new script where you expect it to send an email
>> via the Notice framework, I recommend that you send traffic that ought
>> to should trigger an email alert over the wire.
>
> Why are you looking to send an email while reading a tracefile?  The same notice will be in the notice.log.
>
> I do agree that we should output a reporter message if someone tries to send an email while reading a tracefile though, we just can't sneak that feature into 2.1 but I'll file a ticket for it.
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>



More information about the Bro mailing list