[Bro] Email Notice attempt #2

craig bowser reswob10 at gmail.com
Thu Aug 10 19:34:21 PDT 2017

OK, I've been continuing to work at this and I found Scott Runnell's most
excellent blog posts and I've been following part #3.


Now I know that bro has updated a lot since then, but I think I've got the
syntax right.  However, while the code works and I get one notice in my
notice.log, I'm not getting an emailed alert.

What am I still missing?



module HTTP;

export {
  redef enum Notice::Type += {
    ## Generated if a site is detected using Basic Access Authentication

redef Notice::mail_dest = "reswob10 at gmail.com";
redef Notice::emailed_types += { HTTP::Basic_Auth_Server };

hook Notice::policy(n: Notice::Info)
        if ( n$note == HTTP::Basic_Auth_Server )
                add n$actions[Notice::ACTION_EMAIL];

event http_header(c: connection, is_orig: bool, name: string, value: string)
      if (/AUTHORIZATION/ in name && /Basic/ in value)
             $identifier=cat(c$id$resp_h, c$id$resp_p),

Craig L Bowser

This email is measured by size.  Bits and bytes may have settled during
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170810/4b741fa7/attachment.html 

More information about the Bro mailing list