[Bro] Two questions

Johanna Amann johanna at icir.org
Tue Nov 29 15:35:05 PST 2016


Hi,

> 1: How can the intel also get mailed, when an intel event occurs? 
> I tried 
> 
> redef Notice::emailed_types += {
>          HTTP::IN_HOST_HEADER,
> };

HTTP::IN_HOST_HEADER actually is not a notice type; it is a location of
the Intel framework. Try using Intel::Notice instead, that should work.

> 2: I want to incorporate a Bash curl script send alerts to other systems when a notice or an intel event occurs. How to accomplish this?

You probably want to use the exec framework -
https://www.bro.org/sphinx/scripts/base/utils/exec.bro.html.

I hope this helps,
 Johanna


More information about the Bro mailing list