[Bro] Intel Framework, Notices, and sending out emails

[Derek Banks]

Hello all,
I am standing up what will become my first production Bro server.  I am
most interested in the Intel Framework and alerting on Intel hits and
sending those alerts to the team.

So far in testing the Intel framework is working great and the hits
aregoing to the notice.log per the exercise from the 2013 exchange ( I
have
about 28k domain names in there and it *seems* to be working great).

The problem I am having is sending email alerts from the notices.  If I
append the following into local.bro (from the post
http://mailman.icsi.berkeley.edu/pipermail/bro/2013-December/007185.html)
then it seems to kill the intel hits (none to notices and no intel.log
generated).

 hook Notice::policy(n: Notice::Info)
            {
            add n$actions[Notice::ACTION_ALARM];
            }


If this section of code comes before the intel framework section, then the
intel hits function fine, but I get no emails.

My broscripting talents are still in development (i.e. I am not very good
at it), but it seems like I am overwriting a variable (n) since it is used
for the notice script and in do_notice.  Or I may be completely wrong - I
admit I have much to learn.

Has anyone else scripted emailing Intel hits out to the the team and could
point me in the right direction?  Ideally I want the intel hits to go to
notice.log and email out anything that goes to notices.

My section for the Intel Framework in local.bro is the following:

@load policy/frameworks/intel/seen
@load frameworks/intel/do_notice

redef Intel::read_files += {
    "/usr/local/bro/share/bro/site/file1.dat",
    "/usr/local/bro/share/bro/site/file2.dat",
    "/usr/local/bro/share/bro/site/file3.dat",
};


Best Regards,
Derek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131220/2032c390/attachment.html