[Bro] bro email notifications

Brian Tierney bltierney at lbl.gov
Fri Jun 23 06:23:38 PDT 2006

If you look at dns.bro, you will see:

module DNS;

This means you must append "DNS::" to all variable defined there. ie:

Smith, Stephen G., OIG DoD wrote:
> Hi all,
> I am working with the DNS module, and trying change the notification for
> some of the alerts. Specifically, I would like to set the
> SensitiveDNS_Lookup alarm to NOTICE_EMAIL rather than
> NOTICE_ALARM_ALWAYS as is default. I got that name for the event by
> parsing the alarm file and looking at the events from the dns module.
> Following the example in Sec6.3 of the User Manual I put 
> <snip>
> redef notice_action_filters += {
> [[SensitiveDNS_Lookup]] = send_email_notice,
> };
> </snip>
> in my local.site.bro file. However when trying to start that gives me
> <snip>
> BRO# ../etc/bro.rc start
> bro.rc: Running as non-root user bro
> bro.rc: Starting ..........bro.rc: Failed to start Bro
> /usr/local/bro/site/local.site.bro, line 21: error: unknown identifier
> SensitiveDNS_Lookup, at or near "SensitiveDNS_Lookup"
> ... FAILED
> </snip>
> Any ideas? Please let me know if there is any more info I should
> provide.
> Thanks,
> Steve
> --
> Stephen G. Smith
> stephen.smith at dodig.mil
> This e-mail is from the Office of the Inspector General, Department of Defense, and may contain information that is "Law Enforcement Sensitive" {LES} or "For Official Use Only" {FOUO} or otherwise subject to the Privacy Act and/or legal and or other privileges that restrict release without appropriate legal authority.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

  Brian L. Tierney,   Lawrence Berkeley National Laboratory (LBNL)
  1 Cyclotron Rd.  MS: 50B-2239,  Berkeley, CA  94720
  tel: 510-486-7381    fax: 510-495-2998   efax: 425-642-4558
  bltierney at lbl.gov   http://www-didc.lbl.gov/~tierney

More information about the Bro mailing list