[Bro] Email Notice attempt #2

craig bowser reswob10 at gmail.com
Mon Aug 14 20:08:10 PDT 2017


Thanks for the tips, thanks for your patience.

I got the email to work.


Craig L Bowser
____________________________

This email is measured by size.  Bits and bytes may have settled during
transport.

On Mon, Aug 14, 2017 at 9:45 AM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

>
> > On Aug 12, 2017, at 1:11 PM, craig bowser <reswob10 at gmail.com> wrote:
> >
> > OK, further refinement:
> >
> > I've been going over the documentation for notices and raising alerts
> and googling and I think I've got the right code syntax, but I still am not
> getting emailed alerts.
> >
> >
> > I configured the following line in /usr/local/bro/share/bro/base/
> frameworks/notice/main.bro
> >
> > const mail_dest           = "reswob10 at gmail.com"
>  &redef;
>
> Do not modify the scripts that are shipped with bro.  This setting is best
> configured by using the MailTo setting in the broctl.cfg
>
> > hook Notice::policy(n: Notice::Info) {
> >         if (n$note == HTTP::Basic_Auth_Server)
> >                 print n$note;
> >                 add n$actions[Notice::ACTION_EMAIL];
> > }
>
> You're missing a set of braces here and this block is really
>
> hook Notice::policy(n: Notice::Info) {
>         if (n$note == HTTP::Basic_Auth_Server)
>                 print n$note;
>         add n$actions[Notice::ACTION_EMAIL];
> }
>
> You should use simply the
>
> redef Notice::emailed_types += { HTTP::Basic_Auth_Server };
>
> that you had before.
>
> > When I run the script against a local pcap with HTTP basic auth traffic,
> I get the printed line:
> >
> > root at raspberrypi:/home/pi# bro -C -r http-bro.pcap http-auth-notice.bro
> > HTTP::Basic_Auth_Server
> >
> >
> > But I never get the emailed alert.
>
> Bro does not send email when running against a pcap file.
>
> > Could you please provide any tips/suggestions/corrections/rebukes for
> what I'm doing?  Are there other configurations I missed?  Is there a
> general log for bro that can show an error if it's trying to send email but
> it can't?
>
> Look at the notice.log.  If the actions column contains
> Notice::ACTION_EMAIL then the script is trying to email the notice.  If you
> did not receive the email then look at stderr.log and the system wide mail
> log.
>
>
>
> --
> - Justin Azoff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170814/71c59cc8/attachment.html 


More information about the Bro mailing list