[Bro] Email Notice attempt #2

Mon Aug 14 06:45:03 PDT 2017

> On Aug 12, 2017, at 1:11 PM, craig bowser <reswob10 at gmail.com> wrote:
> 
> OK, further refinement:
> 
> I've been going over the documentation for notices and raising alerts and googling and I think I've got the right code syntax, but I still am not getting emailed alerts.
> 
> 
> I configured the following line in /usr/local/bro/share/bro/base/frameworks/notice/main.bro
> 
> const mail_dest           = "reswob10 at gmail.com"                   &redef;

Do not modify the scripts that are shipped with bro.  This setting is best configured by using the MailTo setting in the broctl.cfg

> hook Notice::policy(n: Notice::Info) {
>         if (n$note == HTTP::Basic_Auth_Server)
>                 print n$note;
>                 add n$actions[Notice::ACTION_EMAIL];
> }

You're missing a set of braces here and this block is really

hook Notice::policy(n: Notice::Info) {
        if (n$note == HTTP::Basic_Auth_Server)
                print n$note;
        add n$actions[Notice::ACTION_EMAIL];
}

You should use simply the 

redef Notice::emailed_types += { HTTP::Basic_Auth_Server };

that you had before.

> When I run the script against a local pcap with HTTP basic auth traffic, I get the printed line:
> 
> root at raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro 
> HTTP::Basic_Auth_Server
> 
> 
> But I never get the emailed alert.

Bro does not send email when running against a pcap file.

> Could you please provide any tips/suggestions/corrections/rebukes for what I'm doing?  Are there other configurations I missed?  Is there a general log for bro that can show an error if it's trying to send email but it can't?

Look at the notice.log.  If the actions column contains Notice::ACTION_EMAIL then the script is trying to email the notice.  If you did not receive the email then look at stderr.log and the system wide mail log.

-- 
- Justin Azoff