[Bro] Bro email notice question

Scotty Brown scotty.b.brown at gmail.com
Mon Mar 28 21:41:21 PDT 2016


Hi Jan,

Thank you!  This is exactly what I was after.  I did have to add a
missing closing bracket ) to line 39.

Did you ever have any discussion on getting this added/changed to the
default do_notice that is distributed with bro?

Cheers,

Scotty

On 25/03/16 01:14, Jan Grashöfer wrote:
> Hi Scotty,
>
>> I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro
> Some time ago, I adapted the do_notice.bro script to add an identifier
> (for notice suppression) and also added some information (e.g. intel
> source) to the mails (see
> https://gist.github.com/J-Gras/c2e0853c93c0bdc74522). I hope this will
> help you :)
>
> Regards,
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list