[Bro] bro alerts over email

Brian Tierney bltierney at lbl.gov
Sun Mar 20 14:18:35 PST 2005


I can answer question #2A. Someone else will have to handle #1, #2B, 
and #3.

I noticed and fixed the problem you are referring to a couple weeks ago.
We changed the beginning of function "email_notice" to be:

         if ( ! reading_live_traffic() || mail_dest == "" )
                 return;

where mail_dest is defined at the beginning of the file as:
global mail_dest = "" &redef;

Then to you need to set mail_dest in your site policy file.

reading_live_traffic() is defined in bro.bif.bro, but they way it was 
being used there was
a race condition where it was not always being set correctly.

On Mar 17, 2005, at 3:31 PM, Aashish Sharma wrote:

>
> 2) In-order to send emails from bro I had to comment out the following
> from notice.bro file :
>
> #       if ( ! mail_notification )         ----------------------- (2A)
> #               return;
>
> #       local action = notice_action_filters[n$note](n); --------- (2B)
>
>         # Choose destination address based on action type.
> #       local destination = (action == NOTICE_EMAIL) ?
> #               mail_dest : mail_page_dest;
> local destination = mail_dest ;
>
>
> 2A) I think 'if (! mail_notification)' condition is not holding true at
> all. I see the following definition
>
> ../policy/notice.bro:global mail_notification = reading_live_traffic()
> &redef;
>
> and
>
> ../policy/bro.bif.bro:global reading_live_traffic: function(): bool;
>
> I don't see reading_live_traffic function defined anywhere? Do I need 
> to
> redef reading_live_traffic() function.
>
> If yes, should it be in the site policy file ? Would its value affect
> other policy files ? (its used in conn.bro, load-level.bro and
> stats.bro)
>
>  




More information about the Bro mailing list