[Bro] bro alerts over email

aashish at uiuc.edu aashish at uiuc.edu
Tue Mar 22 10:37:19 PST 2005


Mail notification via bro is working just fine (and fast) now. Thanks for all the input and help. 

I would like to point a few more things which we had to add localy: 

1) currently  NOTICE_PAGE and NOTICE_EMAIL are independent actions so we had to do minor modifications in notice.bro 
to be able to send an email as well  when NOTICE_PAGE action takes place. 

I think would be a good idea to have an email sent while NOTICE_PAGE action takes place. 

2) Going back to reading_live_traffic()/mail notification issue : 

Since, 

> (in particular, the "interfaces" variable); so a call to reading_live_traffic()
> for a variable's initialization returns F even if later Bro determines
> it indeed is going to be reading live traffic.

Not sure why we needed '!' in 'if (! mail_notification)' condition because mail_notification is returning false 
irrespective of live_traffic capture or a tcpdump reply.  

The following seems to be working fine : 

  if ( mail_notification || mail_dest == "" || mail_page_dest == "" )
                return;

Thanks a lot. 

Aashish Sharma 


On Sun, Mar 20, 2005 at 11:43:29PM -0800, Vern Paxson wrote:
> > reading_live_traffic() is defined in bro.bif.bro, but they way it was 
> > being used there was
> > a race condition where it was not always being set correctly.
> > Minor clarification: 
> this isn't a race condition in terms of not being 
> deterministic.  Rather, the problem is that Bro doesn't know whether it's 
>  reading live traffic until it finishes initializing global variables
> (in particular, the "interfaces" variable); so a call to reading_live_traffic()
> for a variable's initialization returns F even if later Bro determines
> it indeed is going to be reading live traffic.
> 
> 		Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list