[Bro-Dev] On the topic of MailTo/MailAlarmsTo...
Vlad Grigorescu
vladg at cmu.edu
Tue Dec 11 16:18:31 PST 2012
On Dec 10, 2012, at 3:35 PM, Robin Sommer <robin at icir.org> wrote:
> I believe the original intention was to use MailAlarmsTo for
> everything to the IR team, and MailTo for all the adminstrative stuff.
> Doesn't sound like that's still the case anymore but maybe somethign
> we should go back to?
Interesting. So currently, the setup is:
- Bro Notice::ACTION_EMAIL -> MailTo
- Bro Notice::ACTION_ALARM -> MailAlarmsTo (only sent as summaries)
- broctl summarize-connections -> MailTo
- broctl crash reports -> MailTo
- broctl cron output -> MailTo
So, that lines up pretty well with what you said, with the exception of ACTION_EMAIL. I think most setups will want those going to the IR team AKA MailAlarmsTo. But then we're back in the situation where alarm summaries and notice e-mails go to the same place, which is annoying if that place is a ticket system. (That was changed in #814, not #841 as I previously said).
What I initially did was create another action ("ACTION_EMAIL_IR"), but that doesn't work well with extend-email/hostnames, which exits if the action isn't ACTION_EMAIL.
--Vlad
More information about the bro-dev
mailing list