[Bro] Can't get "Notice::ACTION_EMAIL" to work

Aashish Sharma asharma at lbl.gov
Thu Jan 19 11:41:48 PST 2017 

oh my bad, I didn't quite read 

> local msg=fmt("Detected potential virus effecting computer.", key$host, r$num); 

it should be: 

 local msg=fmt("Detected potential virus effecting computer: %s, %s", key$host, r$num); 

On Thu, Jan 19, 2017 at 07:24:14PM +0000, Andrew Dellana wrote:
> Thanks Aashish! 
> 
> I added it in and ran the script but now it dislikes the 'key$host' in the first line. (unknown identifier key, at or near "key")
> 
> 
> Thanks,
> 
> Andrew Dellana
> 
> -----Original Message-----
> From: Aashish Sharma [mailto:asharma at lbl.gov] 
> Sent: Thursday, January 19, 2017 2:14 PM
> To: Andrew Dellana
> Cc: bro at bro.org
> Subject: Re: [Bro] Can't get "Notice::ACTION_EMAIL" to work
> 
> Andrew, 
> 
> I'd say everyone sets up this differently. (there are quite a few ways).
> 
> Here is one simple manner in which you can escalate a notice to be also emailed.  I'd first simply generate a notice like this in relevant policy:
> 
> local msg=fmt("Detected potential virus effecting computer.", key$host, r$num); 
> NOTICE([$note=Virus_Total_Alert, $msg=msg, $src=key$host, $identifier=cat(key$host)]);
> 
> 
> Then, 
> 
> hook Notice::policy(n: Notice::Info)
> {
>   if ( n$note == Virus_Total_Alert)
>    { add n$actions[Notice::ACTION_EMAIL];}
> }
> 
> 
> Hope this helps, 
> Aashish 
> 
> 
> On Thu, Jan 19, 2017 at 06:58:37PM +0000, Andrew Dellana wrote:
> > I am still new to bro scripting and I am working with the vt_check that sooshie wrote and trying to configure email notifications for any virus findings (monitoring multiple interfaces via network tap).  I looked into the notice framework section on the webpage and am getting an error: "error in ./VT_Check.bro, line 117: unknown identifier Virus_Total_Alert, at or near "Virus_Total_Alert" ".    Line 117 is the "Notice::ACTION_EMAIL" line.
> > 
> > 
> > hook Notice::policy(n: Notice::Info)
> >   {
> >   if ( n?$conn && n$conn?$http && n$conn$http?$host )
> >     n$email_body_sections[|n$email_body_sections|] = fmt("Virus_Total_Alert header: %s", n$conn$http$host);
> >   }
> > 
> > Notice::ACTION_EMAIL ([$note=Virus_Total_Alert,
> >         $msg=fmt("Detected potential virus effecting computer.", key$host, r$num),
> >         $src=key$host,
> >         $identifier=cat(key$host)]);
> > 
> > 
> > Thanks,
> > 
> > Andrew Dellana
> 
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>

More information about the Bro mailing list