[Bro] question about send_email_notice

Brian Tierney bltierney at lbl.gov
Wed Feb 21 19:35:26 PST 2007 

My solution to this was to modify the email_notice function in
notice.bro as follows:

function email_notice(n: notice_info, action: NoticeAction,
		info: string)
        {
        if ( ! reading_live_traffic() || mail_dest == "" )
                return;

        # Choose destination address based on action type.
        local destination = (action == NOTICE_EMAIL) ?
                mail_dest : mail_page_dest;
        local mail_cmd = "";

        if (detailed_email)
           {
           # this version assumes script to generate more detailed Alarm
           mail_cmd = fmt("echo \"%s\" \| %s %s", info,
		mail_script, destination);
           }
        else  # this version assumes simple Alarm sent
	      #      directly to Mail command
           {

           mail_cmd = fmt("echo \"%s\" | %s -s \"[Bro Alarm] %s\" %s",
                           n$msg, mail_script, n$note, destination);
           }
        system(mail_cmd);
        }

----

By passing 'info' to this function, I was able to write my own email
script containing the extra information.






Matt Cuttler wrote:
> Bro users and developers,
> 
> We have modified our notice action filters; some notices/alerts get sent
> via email (while others only get logged to file_notice).
> 
> A small snippet:
> 
> redef notice_action_filters += {
>  [[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice,
> };
> 
> redef notice_action_filters += {
>  [[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] =
> file_notice,
> };
> 
> 
> My question is: Is it easily possible to place additional information in
> the email notices themselves?
> 
> For example, an AddressScan mail might simply say, "10.11.12.13 has
> scanned 100 hosts (45653/tcp)". It would save a log of analyst time
> ("grep time" if you will) if the mail included the hosts which were
> considered scanned by Bro.
> 
> Thanks,
> Matt Cuttler
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 
------------------------------------------------------------------------
  Brian L. Tierney,   Lawrence Berkeley National Laboratory (LBNL)
  1 Cyclotron Rd.  MS: 50B-2239,  Berkeley, CA  94720
  tel: 510-486-7381    fax: 510-495-2998   efax: 425-642-4558
  bltierney at lbl.gov   http://www-didc.lbl.gov/~tierney
------------------------------------------------------------------------

More information about the Bro mailing list