[Bro] Can't get "Notice::ACTION_EMAIL" to work
Aashish Sharma
asharma at lbl.gov
Thu Jan 19 11:14:05 PST 2017
Andrew,
I'd say everyone sets up this differently. (there are quite a few ways).
Here is one simple manner in which you can escalate a notice to be also emailed. I'd first simply generate a notice like this in relevant policy:
local msg=fmt("Detected potential virus effecting computer.", key$host, r$num);
NOTICE([$note=Virus_Total_Alert, $msg=msg, $src=key$host, $identifier=cat(key$host)]);
Then,
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Virus_Total_Alert)
{ add n$actions[Notice::ACTION_EMAIL];}
}
Hope this helps,
Aashish
On Thu, Jan 19, 2017 at 06:58:37PM +0000, Andrew Dellana wrote:
> I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap). I looked into the notice framework section on the webpage and am getting an error: "error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near "Virus_Total_Alert" ". Line 117 is the "Notice::ACTION_EMAIL" line.
>
>
> hook Notice::policy(n: Notice::Info)
> {
> if ( n?$conn && n$conn?$http && n$conn$http?$host )
> n$email_body_sections[|n$email_body_sections|] = fmt("Virus_Total_Alert header: %s", n$conn$http$host);
> }
>
> Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
> $msg=fmt("Detected potential virus effecting computer.", key$host, r$num),
> $src=key$host,
> $identifier=cat(key$host)]);
>
>
> Thanks,
>
> Andrew Dellana
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list