[Bro] Bro Scripting Question

Jonathan Siwek jsiwek at ncsa.illinois.edu
Mon Oct 17 09:11:36 PDT 2011


> I can't seem to find a way to actually generate the email notification 
> from within my script, all my attempts produce syntax errors. Can anyone 
> suggest a script to look at? Thanks again, William


base/frameworks/notice/main.bro (from the git repos) might give you some hints at how to do it, but here's a couple examples.

If you'd like to make a certain type of notice (either a predefined or one you created) generate an email, you can augment the Notice::policy like this example:

redef Notice::mail_dest = "jsiwek at ncsa.illinois.edu";

redef Notice::policy += {
    [$result = Notice::ACTION_EMAIL,
     $pred(n: Notice::Info) =
        { return n$note == PacketFilter::Dropped_Packets; }
    ]
};

Or if you really need a more raw way to generate a mail at any point in a script you could do something like:

event bro_init()
    {
    local msg = Notice::email_headers("Test Email Subject", "jsiwek at ncsa.illinois.edu");
    local body = "Here's the test email's body content.";
    msg = string_cat(msg, "\n", body);
    piped_exec(fmt("%s -t -oi", Notice::sendmail), msg);
    }

Which would just send a mail once at startup.

- Jon



More information about the Bro mailing list