[Bro] Can't get "Notice::ACTION_EMAIL" to work

Andrew Dellana andrew.dellana at bayer.com
Thu Jan 19 11:24:14 PST 2017


Thanks Aashish! 

I added it in and ran the script but now it dislikes the 'key$host' in the first line. (unknown identifier key, at or near "key")


Thanks,

Andrew Dellana

-----Original Message-----
From: Aashish Sharma [mailto:asharma at lbl.gov] 
Sent: Thursday, January 19, 2017 2:14 PM
To: Andrew Dellana
Cc: bro at bro.org
Subject: Re: [Bro] Can't get "Notice::ACTION_EMAIL" to work

Andrew, 

I'd say everyone sets up this differently. (there are quite a few ways).

Here is one simple manner in which you can escalate a notice to be also emailed.  I'd first simply generate a notice like this in relevant policy:

local msg=fmt("Detected potential virus effecting computer.", key$host, r$num); 
NOTICE([$note=Virus_Total_Alert, $msg=msg, $src=key$host, $identifier=cat(key$host)]);


Then, 

hook Notice::policy(n: Notice::Info)
{
  if ( n$note == Virus_Total_Alert)
   { add n$actions[Notice::ACTION_EMAIL];}
}


Hope this helps, 
Aashish 


On Thu, Jan 19, 2017 at 06:58:37PM +0000, Andrew Dellana wrote:
> I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap).  I looked into the notice framework section on the webpage and am getting an error: "error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near "Virus_Total_Alert" ".    Line 117 is the "Notice::ACTION_EMAIL" line.
> 
> 
> hook Notice::policy(n: Notice::Info)
>   {
>   if ( n?$conn && n$conn?$http && n$conn$http?$host )
>     n$email_body_sections[|n$email_body_sections|] = fmt("Virus_Total_Alert header: %s", n$conn$http$host);
>   }
> 
> Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
>         $msg=fmt("Detected potential virus effecting computer.", key$host, r$num),
>         $src=key$host,
>         $identifier=cat(key$host)]);
> 
> 
> Thanks,
> 
> Andrew Dellana

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list