[Bro] Changing notice log entry actions from Action::Log to Action::Email

Azoff, Justin S jazoff at illinois.edu
Tue Apr 25 14:16:12 PDT 2017

> On Apr 25, 2017, at 4:45 PM, Espresso Beanies <espressobeanies at gmail.com> wrote:
> Hi,
> In searching previous Bro posts, I'm still not able to understand how to get Bro to email certain notice types as opposed to just creating log entries.
> My local.bro file contains the following:
> redef Notice::emailed_types += {
>   TeamCymruMalwareHashRegistry::Match,
>   Intel::Notice,
>   Intel::DOMAIN,
>   Intel::CERT_HASH,
>   Intel::FILE_HASH,
> };


> For these entries, where or what file do I change specific Notice::Types from Notice::ACTION_LOG to Notice::ACTION_EMAIL?

The Notice::emailed_types that is in your local.bro that you included in your email.

If you want to get emailed about SSH::Password_Guessing then it should be in the emailed_types set.


- Justin Azoff

More information about the Bro mailing list