[Bro] ACTION_ALARM and ACTION_EMAIL
tgdesrochers at gmail.com
Wed Jan 6 07:33:41 PST 2016
I have my sensor set up to email me notices with:
hook Notice::policy(n: Notice::Info)
If I understand correct this will email me upon any entry in the
notice.log. Is there a way to:
1. only get specific items emailed upon entry
2. get the rest of notice.log entries emailed with ACTON_ALARM in the
alarm-mail.txt and have that ignore anything that was previously emailed.
3. Only get one notice email per alert?
What I am doing is in the /opt/bro/share/bro/intel folder creating
different folders with IOS's I want the intel framework to look over and I
am using meta.do_notice to send the items of importance to the notice log.
Excuse my ignorance with this subject I am just now trying to get things
emailed out efficiently to reduce some noise and redundancy my analysts are
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro