[Bro] Can't get "Notice::ACTION_EMAIL" to work
Andrew Dellana
andrew.dellana at bayer.com
Thu Jan 19 10:58:37 PST 2017
I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap). I looked into the notice framework section on the webpage and am getting an error: "error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near "Virus_Total_Alert" ". Line 117 is the "Notice::ACTION_EMAIL" line.
hook Notice::policy(n: Notice::Info)
{
if ( n?$conn && n$conn?$http && n$conn$http?$host )
n$email_body_sections[|n$email_body_sections|] = fmt("Virus_Total_Alert header: %s", n$conn$http$host);
}
Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
$msg=fmt("Detected potential virus effecting computer.", key$host, r$num),
$src=key$host,
$identifier=cat(key$host)]);
Thanks,
Andrew Dellana
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170119/41d9b331/attachment-0001.html
More information about the Bro
mailing list