[Bro] bro cluster notification options

Robin Sommer robin at icir.org
Mon Feb 7 08:57:09 PST 2011


On Fri, Feb 04, 2011 at 11:00 -0600, you wrote:

> different address than our normal incident response list.  One option is
> to just write a function that does that emailing through a script, but I'm
> just checking to make sure there isn't a built-in variable for that.

Not a variable, but there's a function email_notice_to() you can use
in your notice_policy, like this:

    redef notice_policy += {
        [$pred(n: notice_info) = {

            if ( n$note == HTTP::HTTP_SensitiveURI )
                {
                if ( /INTERESTING-URL/ in n$URL )
                    email_notice_to(n, "guy at interested.in.this.url");
                }

            return F;
        };

This mails out matching notices to the given address in addition to
normal handling. If you only wanted to mail them out, but not be
reported locally, that normal handling could just set them to
NOTICE_FILE. 

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list