[Bro] bro notice framework
Johanna Amann
johanna at icir.org
Tue May 8 16:58:37 PDT 2018
On Mon, May 07, 2018 at 12:34:32PM +0100, bz Os wrote:
> hello Evry one i attempt to have a notice on my email when an scan against
> my network done ,i writed this script :
>
> @load policy/misc/scan.bro
> > hook Notice::policy(n:Notice::type){
> > if(n$note==Scan::Address_Scan){
> > add n$actions[Notice::ACTION_EMAIL];
> > }
> > }
>
>
> but when i test scan against my network ,i had nothing in my email ,but i
> have a notice that a scan is made in the file notice.log
> how can i resolve this probleme?
This might be that the path to sendmail is set incorrectly. If you use
broctl, check the broctl.conf to check if the sendmail path is correct. If
it is correct try if you manually can send email via sendmail and it
arrives. reporter.log also might contain output.
> and how make the file notice.log to log a significant notice for example
> when a scan is made it wil create scan made by and adresse of the host
I am not 100% sure what you mean here. Assuming you want to customize the
text that the notice has.
Generally you can put all information into the notice.log that you pass in
the call to NOTICE. In this case the notice is raised by scan.bro, which
sadly is not easily customizable. You could copy it to your own script
directory, customize it and then load your own scan.bro instead.
Johanna
More information about the Bro
mailing list