[Bro] Bro email notice question
Scotty Brown
scotty.b.brown at gmail.com
Wed Mar 23 21:54:06 PDT 2016
Hi all,
I'm using Bro in Security Onion with Critical stack for intel feeds, we've alsoenabled email notices for Bro which are working well (as per https://github.com/Security-Onion-Solutions/security-onion/wiki/Email).
The email notices generated though just contain something like:
Message: Intel hit on 'some.domain' at 'DNS::IN_REQUEST'
Sub-Message: some.domain
Connection: x.x.x.x -> x.x.x.x Connection uid: aaaaa
Email Extensions
-----
orig/src hostname: box.internal
resp/dst hostname: some.domain
I then have to go grep the critical stack intel file for the description related to the particular hit to see whats up.
I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro
I'm missing something small - can anyone help me out?
Cheers,
Scotty
More information about the Bro
mailing list