[Bro-Dev] #719: SMTP policy blocklist: Added originator only logging

Bro Tracker bro at tracker.bro-ids.org
Tue Dec 13 06:50:06 PST 2011


#719: SMTP policy blocklist: Added originator only logging
--------------------+----------------------
  Reporter:  eddyg  |      Owner:
      Type:  Patch  |     Status:  new
  Priority:  Low    |  Milestone:  Bro2.0
 Component:  Bro    |    Version:  2.0 Beta
Resolution:         |   Keywords:
--------------------+----------------------

Comment (by seth):

 I'd rather not solve the way you did in the patch, but I definitely
 understand what you want.  I think what we might do is change how the
 shorthand notice policy configuration variables work (i'm totally up for
 changing this for 2.0 to).  What I need to know is what you ultimately
 want to change.  Do you just want to completely filter out all non-local
 blocked servers?  Or would you really just like to alarm or notice on the
 local blocked servers?

 I have two proposed techniques, each with things I like and don't like.
 Both examples would solve the problem you are trying to solve.  Which do
 you prefer?

 {{{
 redef Notice::ignored_notices += { [SMTP::Blocklist_Blocked_Host,
 LOCAL_HOSTS] };

 redef Notice::shortcuts += { [SMTP::Blocklist_Blocked_Host, LOCAL_HOSTS] =
 Notice::ACTION_IGNORE };
 }}}

 We also need to overhaul that notice a bit but I've been planning on going
 around and touching all of the notices a little bit before the release to
 make them all clearer.

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/719#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list