[Bro] bro alerts over email
aashish at uiuc.edu
aashish at uiuc.edu
Tue Mar 22 10:37:19 PST 2005
Mail notification via bro is working just fine (and fast) now. Thanks for all the input and help.
I would like to point a few more things which we had to add localy:
1) currently NOTICE_PAGE and NOTICE_EMAIL are independent actions so we had to do minor modifications in notice.bro
to be able to send an email as well when NOTICE_PAGE action takes place.
I think would be a good idea to have an email sent while NOTICE_PAGE action takes place.
2) Going back to reading_live_traffic()/mail notification issue :
Since,
> (in particular, the "interfaces" variable); so a call to reading_live_traffic()
> for a variable's initialization returns F even if later Bro determines
> it indeed is going to be reading live traffic.
Not sure why we needed '!' in 'if (! mail_notification)' condition because mail_notification is returning false
irrespective of live_traffic capture or a tcpdump reply.
The following seems to be working fine :
if ( mail_notification || mail_dest == "" || mail_page_dest == "" )
return;
Thanks a lot.
Aashish Sharma
On Sun, Mar 20, 2005 at 11:43:29PM -0800, Vern Paxson wrote:
> > reading_live_traffic() is defined in bro.bif.bro, but they way it was
> > being used there was
> > a race condition where it was not always being set correctly.
> > Minor clarification:
> this isn't a race condition in terms of not being
> deterministic. Rather, the problem is that Bro doesn't know whether it's
> reading live traffic until it finishes initializing global variables
> (in particular, the "interfaces" variable); so a call to reading_live_traffic()
> for a variable's initialization returns F even if later Bro determines
> it indeed is going to be reading live traffic.
>
> Vern
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list