[Bro] Intel Framework, Notices, and sending out emails
Derek Banks
itsecderek at gmail.com
Fri Dec 20 09:13:36 PST 2013
Thanks Seth - that works.
On Fri, Dec 20, 2013 at 11:11 AM, Seth Hall <seth at icir.org> wrote:
>
> On Dec 20, 2013, at 10:27 AM, Derek Banks <itsecderek at gmail.com> wrote:
>
> > hook Notice::policy(n: Notice::Info)
> > {
> > add n$actions[Notice::ACTION_ALARM];
> > }
>
> Try..
>
> add n$actions[Notice::ACTION_EMAIL];
>
> The alarm action may be a little confusing. What's it doing is batching
> up notices and then sending them out on your log rotation interval in a
> single email. It's sort of the lower priority notices that you don't care
> about receiving the instant they occur but you'd still like to know about
> them soon.
>
> You also have the ability to do multiple actions per-notice so you don't
> need to worry about overwriting an action if you add multiple. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131220/fcab1ad0/attachment.html
More information about the Bro
mailing list