[Bro] Debugging Bro Scripts Where action = Notice::ACTION_EMAIL
Seth Hall
seth at icir.org
Fri Aug 31 06:29:48 PDT 2012
On Aug 29, 2012, at 4:14 PM, Chris Crawford <christopher.p.crawford at gmail.com> wrote:
> Either way, I wouldn't have had much confidence that my
> script was doing what I wanted it to do, so what would be the point in
> using it in a live capture scenario?
You will still see the Notice::ACTION_EMAIL action attached to your notice in notice.log.
I do agree though that we need to revisit the decision of how email is handled. You may be right that the correct decision is to get rid of those two lines like you did. We just need to think about it a bit more.
Thanks!
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list