[Bro] Changing notice log entry actions from Action::Log to Action::Email
Espresso Beanies
espressobeanies at gmail.com
Wed Apr 26 08:36:56 PDT 2017
Ah, got it. Thanks Justin.
On Tue, Apr 25, 2017 at 5:16 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Apr 25, 2017, at 4:45 PM, Espresso Beanies <espressobeanies at gmail.com>
> wrote:
> >
> > Hi,
> >
> > In searching previous Bro posts, I'm still not able to understand how to
> get Bro to email certain notice types as opposed to just creating log
> entries.
> >
> > My local.bro file contains the following:
> >
> > redef Notice::emailed_types += {
> > TeamCymruMalwareHashRegistry::Match,
> > Intel::Notice,
> > Intel::DOMAIN,
> > Intel::CERT_HASH,
> > Intel::FILE_HASH,
> > };
>
> ...
>
> > For these entries, where or what file do I change specific Notice::Types
> from Notice::ACTION_LOG to Notice::ACTION_EMAIL?
>
> The Notice::emailed_types that is in your local.bro that you included in
> your email.
>
> If you want to get emailed about SSH::Password_Guessing then it should be
> in the emailed_types set.
>
> https://www.bro.org/sphinx/frameworks/notice.html#notice-policy-shortcuts
>
> --
> - Justin Azoff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170426/cf066885/attachment-0001.html
More information about the Bro
mailing list