[Bro] Quick Notice question
James Lay
jlay at slave-tothe-box.net
Fri Jan 24 09:05:12 PST 2014
On 2014-01-24 09:48, Kellogg, Brian D (OLN) wrote:
> I've added a little more smarts to the script as I become more
> familiar with bro scripting. I'm simply amazed at the possibilities
> of Bro; thank you to those who have and continue to develop this
> awesome tool. I wish I had run across it five years ago. Attached
> is
> the current iteration. I'm trying to keep track of and alert on
> hosts
> that have multiple large upload events in a given time and any
> destination hosts that have seen multiple uploads over a given time.
> To disable the mail alerts just comment out the below. If any of my
> inline comments are unclear yell at me.
>
> #
> # Send email if Very_Large_Outgoing_Tx notice type is generated
> #
> hook Notice::policy(n: Notice::Info)
> {
> if (n$note == Very_Large_Outgoing_Tx || n$note ==
> Multiple_Large_Outgoing_Tx)
> add n$actions[Notice::ACTION_EMAIL];
> }
>
> Thank you,
> Brian Kellogg
Thanks for this Brian...working with it now.
James
More information about the Bro
mailing list