[Bro] Question about syntax with notice suppression on intel hits
Derek Banks
itsecderek at gmail.com
Thu Jul 3 05:49:54 PDT 2014
Hello all,
I am hooking into the notice framework to alert on hits from the intel
framework. For a given hit I get multiple emails. I'd like to suppress
the notice, but I am having a syntax issue. This is what I have that
doesn't work - what is the right syntax to add in a suppression interval of
X minutes?
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Intel::Notice && n?$src && !(n$src in
intel_server_whitelist ) )
{
add n$actions[Notice::ACTION_EMAIL];
add n$suppress_for=5min;
}
}
Best Regards,
Derek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140703/1573f4bd/attachment.html
More information about the Bro
mailing list