[Bro] Notifications from Local.bro
Jon Schipp
jonschipp at gmail.com
Mon May 19 17:28:01 PDT 2014
Just to be sure, are you uncommenting the entire emailed_types redefinition?
You have a comment character at the beginning of the definition in your
output, "# redef Notice::emailed_types +=".
On Mon, May 19, 2014 at 5:58 PM, Damon Rouse <damonrouse at gmail.com> wrote:
> Hi Everyone
>
> I'm pretty new to BRO and have a quick question about setting up alerts
> from Bro. Inside my Local.bro file I have the following what's below
> (which works great). If I uncomment the emailed_types redef, Bro errors
> out after running the following sudo broctl install && sudo broctl restart.
> The error is: manager terminated immediately after starting; check output
> with "diag"
>
> Can you only have one redef statement in the local.bro file? Or did I
> make a mistake somewhere?
>
> hook Notice::policy(n: Notice::Info)
> {
> add n$actions[Notice::ACTION_EMAIL];
> }
>
> # redef Notice::emailed_types += {
> HTTP::Incorrect_File_Type,
> SSH::Interesting_Hostname_Login,
> HTTP::Malware_Hash_Registry_Match,
> APT1::Domain_Hit,
> APT1::Certificate_Hit,
> APT1::File_MD5_Hit,
> };
>
> redef Notice::ignored_types += { SSL::Invalid_Server_Cert };
>
> Thanks!
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Jon Schipp,
jonschipp.com, sickbits.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140519/78fb56ad/attachment.html
More information about the Bro
mailing list