[Bro] Changing notice log entry actions from Action::Log to Action::Email
Azoff, Justin S
jazoff at illinois.edu
Tue Apr 25 14:16:12 PDT 2017
> On Apr 25, 2017, at 4:45 PM, Espresso Beanies <espressobeanies at gmail.com> wrote:
>
> Hi,
>
> In searching previous Bro posts, I'm still not able to understand how to get Bro to email certain notice types as opposed to just creating log entries.
>
> My local.bro file contains the following:
>
> redef Notice::emailed_types += {
> TeamCymruMalwareHashRegistry::Match,
> Intel::Notice,
> Intel::DOMAIN,
> Intel::CERT_HASH,
> Intel::FILE_HASH,
> };
...
> For these entries, where or what file do I change specific Notice::Types from Notice::ACTION_LOG to Notice::ACTION_EMAIL?
The Notice::emailed_types that is in your local.bro that you included in your email.
If you want to get emailed about SSH::Password_Guessing then it should be in the emailed_types set.
https://www.bro.org/sphinx/frameworks/notice.html#notice-policy-shortcuts
--
- Justin Azoff
More information about the Bro
mailing list