[Bro] Can't get "Notice::ACTION_EMAIL" to work

Andrew Dellana andrew.dellana at bayer.com
Thu Jan 19 10:58:37 PST 2017


I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap).  I looked into the notice framework section on the webpage and am getting an error: "error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near "Virus_Total_Alert" ".    Line 117 is the "Notice::ACTION_EMAIL" line.


hook Notice::policy(n: Notice::Info)
  {
  if ( n?$conn && n$conn?$http && n$conn$http?$host )
    n$email_body_sections[|n$email_body_sections|] = fmt("Virus_Total_Alert header: %s", n$conn$http$host);
  }

Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
        $msg=fmt("Detected potential virus effecting computer.", key$host, r$num),
        $src=key$host,
        $identifier=cat(key$host)]);


Thanks,

Andrew Dellana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/41d9b331/attachment-0001.html 


More information about the Bro mailing list