[Bro] Two questions

Eugène Dautzenberg edautz at gmail.com
Thu Nov 17 08:39:14 PST 2016


I setup a Bro instance on a Raspberry Pi3 with an WLAN monitor interface, for IDS home use.

I got notices and with the 

hook Notice::policy(n: Notice::Info)
         {
         add n$actions[Notice::ACTION_EMAIL];
         }

config (example from the mailing list) into my local.bro.I got notices by mail. Works fine.

I also installed critical stack intel feeds, and when I see an Intel file created when I test a banned ip address.

I am new to Bro and have no knowlegde about Bro configuration and scripting language. But I want to make a quickstart

I have two questions:

1: How can the intel also get mailed, when an intel event occurs? 
I tried 

redef Notice::emailed_types += {
         HTTP::IN_HOST_HEADER,
};

Config check is ok but after triggering an intel event I got no mail.

2: I want to incorporate a Bash curl script send alerts to other systems when a notice or an intel event occurs. How to accomplish this?

Thanks in advance.


More information about the Bro mailing list