[Bro] Email Notice attempt #2
Azoff, Justin S
jazoff at illinois.edu
Mon Aug 14 06:45:03 PDT 2017
> On Aug 12, 2017, at 1:11 PM, craig bowser <reswob10 at gmail.com> wrote:
>
> OK, further refinement:
>
> I've been going over the documentation for notices and raising alerts and googling and I think I've got the right code syntax, but I still am not getting emailed alerts.
>
>
> I configured the following line in /usr/local/bro/share/bro/base/frameworks/notice/main.bro
>
> const mail_dest = "reswob10 at gmail.com" &redef;
Do not modify the scripts that are shipped with bro. This setting is best configured by using the MailTo setting in the broctl.cfg
> hook Notice::policy(n: Notice::Info) {
> if (n$note == HTTP::Basic_Auth_Server)
> print n$note;
> add n$actions[Notice::ACTION_EMAIL];
> }
You're missing a set of braces here and this block is really
hook Notice::policy(n: Notice::Info) {
if (n$note == HTTP::Basic_Auth_Server)
print n$note;
add n$actions[Notice::ACTION_EMAIL];
}
You should use simply the
redef Notice::emailed_types += { HTTP::Basic_Auth_Server };
that you had before.
> When I run the script against a local pcap with HTTP basic auth traffic, I get the printed line:
>
> root at raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro
> HTTP::Basic_Auth_Server
>
>
> But I never get the emailed alert.
Bro does not send email when running against a pcap file.
> Could you please provide any tips/suggestions/corrections/rebukes for what I'm doing? Are there other configurations I missed? Is there a general log for bro that can show an error if it's trying to send email but it can't?
Look at the notice.log. If the actions column contains Notice::ACTION_EMAIL then the script is trying to email the notice. If you did not receive the email then look at stderr.log and the system wide mail log.
--
- Justin Azoff
More information about the Bro
mailing list