[Bro] Intel Framework and email alerts
Tom OBrion
hammadog at gmail.com
Tue May 13 10:02:10 PDT 2014
Hello all
Having a brain cramp on why my intel framework emails are not working.
Here is a snippet out of my feed file lets say:
#fields indicator indicator_type meta.source meta.desc meta.do_notice
xxx.xxx.xxx.xxx Intel::ADDR Internal-Intel malware_addr T
my local.bro
@load frameworks/intel/seen
@load frameworks/intel/do_notice
redef Intel::read_files += {
"/nsm/bro/feeds/malware-addr.intel",
};
redef Notice::emailed_types += {
Intel::Notice,
TeamCymruMalwareHashRegistry::Match,
};
I know the notice framework and emails get sent as I get my summary emails
as well as the malware hash emails. When I test and try to access
the address within the feed it gets logged to my intel.log file but no
email is being sent. This use to work for me, but for some reason it is
not anymore. I know its something stupid and I just need a slap up side
the head. Can someone point me in the right direction?
Thanks
--
Tom O'Brion
Twitter: @tobrion
Skype: TomOBrion
"Life is too short to spend time with people who suck the happy out of you."
[image: View Tom OBrion's profile on
LinkedIn]<http://www.linkedin.com/in/tomobrion>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140513/21c67387/attachment.html
More information about the Bro
mailing list