[Bro] bro email notifications

Smith, Stephen G., OIG DoD Stephen.Smith at dodig.mil
Fri Jun 23 04:44:21 PDT 2006

Hi all,

I am working with the DNS module, and trying change the notification for
some of the alerts. Specifically, I would like to set the
SensitiveDNS_Lookup alarm to NOTICE_EMAIL rather than
NOTICE_ALARM_ALWAYS as is default. I got that name for the event by
parsing the alarm file and looking at the events from the dns module.
Following the example in Sec6.3 of the User Manual I put 

redef notice_action_filters += {
[[SensitiveDNS_Lookup]] = send_email_notice,

in my local.site.bro file. However when trying to start that gives me

BRO# ../etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.site.bro, line 21: error: unknown identifier
SensitiveDNS_Lookup, at or near "SensitiveDNS_Lookup"

Any ideas? Please let me know if there is any more info I should


Stephen G. Smith
stephen.smith at dodig.mil

This e-mail is from the Office of the Inspector General, Department of Defense, and may contain information that is "Law Enforcement Sensitive" {LES} or "For Official Use Only" {FOUO} or otherwise subject to the Privacy Act and/or legal and or other privileges that restrict release without appropriate legal authority.

More information about the Bro mailing list