[Bro] Intel Framework, Notices, and sending out emails

Seth Hall seth at icir.org
Fri Dec 20 08:11:13 PST 2013

On Dec 20, 2013, at 10:27 AM, Derek Banks <itsecderek at gmail.com> wrote:

> hook Notice::policy(n: Notice::Info)
>             {
>             add n$actions[Notice::ACTION_ALARM];
>             }


add n$actions[Notice::ACTION_EMAIL];

The alarm action may be a little confusing.  What's it doing is batching up notices and then sending them out on your log rotation interval in a single email.  It's sort of the lower priority notices that you don't care about receiving the instant they occur but you'd still like to know about them soon.

You also have the ability to do multiple actions per-notice so you don't need to worry about overwriting an action if you add multiple. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131220/746e90d3/attachment.bin 

More information about the Bro mailing list