[Bro] Notifications from Local.bro
Damon Rouse
damonrouse at gmail.com
Mon May 19 15:58:50 PDT 2014
Hi Everyone
I'm pretty new to BRO and have a quick question about setting up alerts
from Bro. Inside my Local.bro file I have the following what's below
(which works great). If I uncomment the emailed_types redef, Bro errors
out after running the following sudo broctl install && sudo broctl restart.
The error is: manager terminated immediately after starting; check output
with "diag"
Can you only have one redef statement in the local.bro file? Or did I make
a mistake somewhere?
hook Notice::policy(n: Notice::Info)
{
add n$actions[Notice::ACTION_EMAIL];
}
# redef Notice::emailed_types += {
HTTP::Incorrect_File_Type,
SSH::Interesting_Hostname_Login,
HTTP::Malware_Hash_Registry_Match,
APT1::Domain_Hit,
APT1::Certificate_Hit,
APT1::File_MD5_Hit,
};
redef Notice::ignored_types += { SSL::Invalid_Server_Cert };
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/f8d68483/attachment.html
More information about the Bro
mailing list