[Bro] Redefining the email application

Clark, Gilbert gc355804 at ohio.edu
Mon Oct 13 11:08:19 PDT 2014


Hi James:

Disclaimer: I've never done this before, so the following may be completely wrong.  with that said ...

In base/frameworks/notice/main.bro, there is a function called 'email_notice_to'.  In this function, there is a call that looks like this:

    piped_exec(fmt("%s -t -oi", sendmail), email_text);

piped_exec is, I think, what actually makes the call to sendmail, where sendmail is defined to be (in the same file):

    ## Local system sendmail program.
    ##
    ## Note that this is overridden by the BroControl SendMail option.
    const sendmail            = "/usr/sbin/sendmail" &redef;

So, based on the above, I can see a few options:

* Use an application with sendmail compatibility and redefine Notice::sendmail to point to that
* Maybe check broctl's SendMail option to make sure it's not overwriting the value you'd like (since it mentions that broctl takes precedence in the comment above)?
* If neither of the above work, symlink /usr/bin/sendmail to the actual application you're trying to forward the mail to and see if that works?
* If the above isn't an option, write a shim that accepts the -t -oi options and forwards the body of the mail to the desired application
* If none of the above work, maybe modify email_notice_to to make a different piped_exec() call?  Note that this might be bad because changes would be lost at upgrade ...

Hope something in there is useful.

-Gilbert
________________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of James Lay <jlay at slave-tothe-box.net>
Sent: Monday, October 13, 2014 1:36 PM
To: bro at bro-ids.org
Subject: [Bro] Redefining the email application

Hey All,

I've been trying to figured out how to get a different application as
the sendmail app.  I've not been able to find anything for this, so I'm
coming here for an assist.  If not being able to redefine sendmail to
something different, is there a way I can instead fire off a script that
will run my email application instead?  I've looked at:

https://www.bro.org/sphinx/scripts/base/frameworks/notice/main.bro.html

For a while now, but I'm not able to figure it out.  Thanks for any
assistance.

James
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list