[Bro] ACTION_ALARM and ACTION_EMAIL

Tim Desrochers tgdesrochers at gmail.com
Wed Jan 6 07:33:41 PST 2016


I have my sensor set up to email me notices with:

hook Notice::policy(n: Notice::Info)
            {
            add n$actions[Notice::ACTION_EMAIL];
            }

If I understand correct this will email me upon any entry in the
notice.log.  Is there a way to:
1. only get specific items emailed upon entry
2. get the rest of notice.log entries emailed with ACTON_ALARM in the
alarm-mail.txt and have that ignore anything that was previously emailed.
3. Only get one notice email per alert?

What I am doing is in the /opt/bro/share/bro/intel folder creating
different folders with IOS's I want the intel framework to look over and I
am using meta.do_notice to send the items of importance to the notice log.

Excuse my ignorance with this subject I am just now trying to get things
emailed out efficiently to reduce some noise and redundancy my analysts are
seeing.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160106/4d0dd394/attachment.html 


More information about the Bro mailing list