[Bro-Dev] [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643)

[Seth Hall]

On Oct 26, 2011, at 1:43 PM, Robin Sommer wrote:

> Seth, what do you think of this approach? If loaded (which I'd like to
> do by default), it will replace the standard raw notice alarms with
> pretty printed versions.
> 
> Note, it's not finished yet; in particular, the actual pretty printing
> is missing. But is this a good way to hook into the processing?


Yep.  Handling the Notice::notice event is definitely the right way to hook in.

As I'm reading through it I'm having a few thoughts.  Maybe we should just make an extensions/ directory in the notice framework instead of the current extend-email/ and actions/ directories?  They're all basically just extensions they're just using different extension mechanisms.  I wouldn't say this exactly fits into actions and I didn't abstract ACTION_ALARM into alarms (which possibly should have) and then you could have just directly implemented this there.

And I'm going to back up on what I said before.  I can see this script taking a shell script or something to process the log file through as an alternate way of converting the log into the email body.  That might even make more sense as the primary approach.  I guess it would be like a prerotation filter or something?  We may be able to use something like that in more ways than we are even thinking of right now.  That way someone could provide a script that can turn Bro logs into webpages (as a sort of obvious example) if people want to receive their alarm emails in a "pretty" format.  Or, it could even attach it to the email as an attachment if people prefer that way.

I'm pretty sure you were right on that one, I just hadn't fully thought through it yet. ;)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/