[Bro] bro email notifications
Smith, Stephen G., OIG DoD
Stephen.Smith at dodig.mil
Fri Jun 23 04:44:21 PDT 2006
Hi all,
I am working with the DNS module, and trying change the notification for
some of the alerts. Specifically, I would like to set the
SensitiveDNS_Lookup alarm to NOTICE_EMAIL rather than
NOTICE_ALARM_ALWAYS as is default. I got that name for the event by
parsing the alarm file and looking at the events from the dns module.
Following the example in Sec6.3 of the User Manual I put
<snip>
redef notice_action_filters += {
[[SensitiveDNS_Lookup]] = send_email_notice,
};
</snip>
in my local.site.bro file. However when trying to start that gives me
<snip>
BRO# ../etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.site.bro, line 21: error: unknown identifier
SensitiveDNS_Lookup, at or near "SensitiveDNS_Lookup"
... FAILED
</snip>
Any ideas? Please let me know if there is any more info I should
provide.
Thanks,
Steve
--
Stephen G. Smith
DODIG NETSEC Division
stephen.smith at dodig.mil
This e-mail is from the Office of the Inspector General, Department of Defense, and may contain information that is "Law Enforcement Sensitive" {LES} or "For Official Use Only" {FOUO} or otherwise subject to the Privacy Act and/or legal and or other privileges that restrict release without appropriate legal authority.
More information about the Bro
mailing list