[Bro] bro alerts over email

[Vern Paxson]

> 1) I am unable to redefine variables sensitive_URIs
> (policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
> policy file.

These are declared inside module scope, so you need <module>::<variable>
to access them.  For example:

	redef HTTP::sensitive_URIs += /rootdown.pl/;

> 2B)  local action = notice_action_filters[n$note](n) 
> 
> gives the following error in info.log file and bro stops :  

Oops, a bug.  Patch appended.

> in my site-policy file for getting email/page alert.  If I understand it
> correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
> to get bro generate an alert and then declare that particular alert
> using the above $pred config in my site policy file. Right ? 
> 
> Since this could lead to lot of $pred declearations, Is it possible to
> have a formation like following for similar category of alerts : 
> 
> /usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
> (/^?(^.*rootdown.pl.*$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
> boolean operands 

One of the changes already in place for the next release is use of "||"
and "&&" for combining patterns, for exactly this sort of reason.

		Vern


diff -Lpolicy/notice.bro -Lpolicy/notice.bro -u -r1.14 -r1.15
--- policy/notice.bro
+++ policy/notice.bro
@@ -181,13 +181,11 @@
 		}
 	}
 
-function email_notice(n: notice_info)
+function email_notice(n: notice_info, action: NoticeAction)
 	{
 	if ( ! reading_live_traffic() || mail_dest == "" )
 		return;
 
-	local action = notice_action_filters[n$note](n);
-
 	# Choose destination address based on action type.
 	local destination = (action == NOTICE_EMAIL) ?
 		mail_dest : mail_page_dest;
@@ -311,7 +309,7 @@
 		if ( action != NOTICE_FILE )
 			{
 			if ( action == NOTICE_EMAIL || action == NOTICE_PAGE )
-				email_notice(n);
+				email_notice(n, action);
 
 			if ( use_tagging )
 				alarm info;