[Bro] question about send_email_notice
Matt Cuttler
mcuttler at bnl.gov
Tue Feb 20 11:53:45 PST 2007
Bro users and developers,
We have modified our notice action filters; some notices/alerts get sent
via email (while others only get logged to file_notice).
A small snippet:
redef notice_action_filters += {
[[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice,
};
redef notice_action_filters += {
[[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] =
file_notice,
};
My question is: Is it easily possible to place additional information in
the email notices themselves?
For example, an AddressScan mail might simply say, "10.11.12.13 has
scanned 100 hosts (45653/tcp)". It would save a log of analyst time
("grep time" if you will) if the mail included the hosts which were
considered scanned by Bro.
Thanks,
Matt Cuttler
More information about the Bro
mailing list