[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL
Chris Crawford
christopher.p.crawford at gmail.com
Wed Aug 29 13:11:11 PDT 2012
Not sure how much of a pain this idea would be to implement, but it
would be great if all email went to the address specified by MailTo,
unless you specifically override that value in a custom bro script.
That way a bro script could have something similar to a local MailTo
variable and all notices sent out from that custom script would be
sent to the new email address.
-Chris
On Wed, Aug 29, 2012 at 1:06 PM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 28, 2012, at 6:12 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
>
>> redef Notice::mail_dest = "alert at email.com";
>>
>> in a custom Bro script doesn't appear to override the value specified
>> by the MailTo variable set in etc/broctl.cfg .
>
> Yes, this is an unfortunate side effect to automatically changing settings through BroControl. I believe that the documentation has been updated for 2.1 to clarify which variables are affected. I still don't think we are completely sure the direction this will go long term, but it is definitely unclear at the moment.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
More information about the Bro
mailing list