[Bro] bro email scripts
Brian Tierney
bltierney at lbl.gov
Tue Jun 27 07:22:06 PDT 2006
Smith, Stephen G., OIG DoD wrote:
> Hello all,
>
> I am working on getting the email reports and alarms working in BRO, and
> I am having to do a bit of hacking to modify it to use ssmtp instead of
> sendmail. However in the process I have noticed a few things which I
> figured I should ask about before I go too far.
>
> 1. There is the mail_notice.sh script in the scripts dir which
> references the body of the alarm being in /tmp/bro.notice.$$, however I
> can't find this file being created anywhere in the notice policy.
That script is actually old and no longer used.
> 2. I don't see this script getting called anywhere in the notice policy
> either, instead the mail_script var was declared as /bin/mail, which
> doesn't work.
If you redef "mail_script" to the location of mail on your system, and
also redef "mail_dest" to a valid email address, this should work.
>
> This leaves me with the following question: in the notice-policy file
> what var contains the text of the alarm? If I can know that then I will
> be able to figure how to pipe it to where I want it. I am assuming that
> email system in this release is not actually broken, it is just my
> installation.
>
See line 215 in notice.bro. The text of the mail message comes from n$note.
For debugging, I always add this line to the end of the email_notice()
routine in notice.bro:
print mail_cmd;
This way you can verify that email_notice() is in fact being called, and
you can try running the script by hand to verify that its working
correctly. These print statements will end up in the "info.log" file.
Hope this helps.
More information about the Bro
mailing list