[Bro] Bro email notice question

Scotty Brown scotty.b.brown at gmail.com
Wed Mar 23 21:54:06 PDT 2016


Hi all,

I'm using Bro in Security Onion with Critical stack for intel feeds, we've alsoenabled email notices for Bro which are working well (as per https://github.com/Security-Onion-Solutions/security-onion/wiki/Email).

The email notices generated though just contain something like:

Message: Intel hit on 'some.domain' at 'DNS::IN_REQUEST'
Sub-Message: some.domain
Connection: x.x.x.x -> x.x.x.x Connection uid: aaaaa
Email Extensions
-----
orig/src hostname: box.internal
resp/dst hostname: some.domain


I then have to go grep the critical stack intel file for the description related to the particular hit to see whats up.

I've tried, but can't figure out how I add $sources from the Intel log into say $sub in /opt/bro/share/bro/policy/intel/do_notice.bro

I'm missing something small - can anyone help me out?

Cheers,

Scotty



More information about the Bro mailing list