[Bro] bro alerts over email
Brian Tierney
bltierney at lbl.gov
Sun Mar 20 14:18:35 PST 2005
I can answer question #2A. Someone else will have to handle #1, #2B,
and #3.
I noticed and fixed the problem you are referring to a couple weeks ago.
We changed the beginning of function "email_notice" to be:
if ( ! reading_live_traffic() || mail_dest == "" )
return;
where mail_dest is defined at the beginning of the file as:
global mail_dest = "" &redef;
Then to you need to set mail_dest in your site policy file.
reading_live_traffic() is defined in bro.bif.bro, but they way it was
being used there was
a race condition where it was not always being set correctly.
On Mar 17, 2005, at 3:31 PM, Aashish Sharma wrote:
>
> 2) In-order to send emails from bro I had to comment out the following
> from notice.bro file :
>
> # if ( ! mail_notification ) ----------------------- (2A)
> # return;
>
> # local action = notice_action_filters[n$note](n); --------- (2B)
>
> # Choose destination address based on action type.
> # local destination = (action == NOTICE_EMAIL) ?
> # mail_dest : mail_page_dest;
> local destination = mail_dest ;
>
>
> 2A) I think 'if (! mail_notification)' condition is not holding true at
> all. I see the following definition
>
> ../policy/notice.bro:global mail_notification = reading_live_traffic()
> &redef;
>
> and
>
> ../policy/bro.bif.bro:global reading_live_traffic: function(): bool;
>
> I don't see reading_live_traffic function defined anywhere? Do I need
> to
> redef reading_live_traffic() function.
>
> If yes, should it be in the site policy file ? Would its value affect
> other policy files ? (its used in conn.bro, load-level.bro and
> stats.bro)
>
>
More information about the Bro
mailing list