[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL

[Chris Crawford]

I spent quite a bit of time and effort trying to figure out.  Dropping
a note out to the community to hopefully help the next guy.

Over in this thread
http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005811.html

I couldn't figure out why this script
http://mailman.icsi.berkeley.edu/pipermail/bro/2012-August/005812.html

would not send an email alert via the Notice framework.

I was testing the script on a small pcap file. I thought that
debugging approach would enable me to quickly, easily, and reliably
check to see if my new bro script was working as intended.

Here's the problem with that development/debugging approach.  The
first few lines in the function email_notice_to (found in
frameworks/notice/main.bro specifically) check to see if you are
reading traffic from a trace file, and then silently disable email
alerting if you are.  This turned out to be very frustrating to debug.

To confirm that my script was working as expected, I had to change the
following lines in frameworks/notice/main.bro:

function email_notice_to(n: Notice::Info, dest: string, extend: bool)
        {
       if ( reading_traces() || dest == "" )
               return;

to the following:

function email_notice_to(n: Notice::Info, dest: string, extend: bool)
        {
#       if ( reading_traces() || dest == "" )
#               return;

If you plan to test a new script where you expect it to send an email
via the Notice framework, I recommend that you send traffic that ought
to should trigger an email alert over the wire.

That's not a viable option for me, so commenting out the lines above
is a better approach.

Would also recommend that either the bro documentation make note of
this "feature" or that the resulting notice.log print a message to
indicate that email alerting was disabled because it isn't reading
traffic from a live network capture.

-Chris