[Bro] unknown identifier for Notice::ACTION_EMAIL
Nicolas KRASINSKI
krasinski at cines.fr
Fri Oct 26 09:35:14 PDT 2018
Ok, I found the solution, I added in my local.bro :
@load misc/scan
with the code :
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Scan::Address_Scan || n$note == Scan::Port_Scan )
add n$actions[Notice::ACTION_EMAIL];
}
and it works fine.
Thank you,
Nicolas.
De: "krasinski" <krasinski at cines.fr>
À: "Stephen M Hosom" <hosom at battelle.org>
Cc: "bro" <bro at bro.org>
Envoyé: Vendredi 26 Octobre 2018 16:36:34
Objet: Re: [Bro] unknown identifier for Notice::ACTION_EMAIL
Thanks, but what are you meaning by identify the module that those names are in ?
I changed the Address_Scan by Scan::Address_Scan, but same..
I added "module Scan;" in local.bro but same error.
When I add this directly in scan.bro, it works, but it is not advisable...
hook Notice::policy(n: Notice::Info)
{
if (n$note == Address_Scan)
add n$actions[Notice::ACTION_EMAIL];
}
De: "Hosom, Stephen M" <hosom at battelle.org>
À: "krasinski" <krasinski at cines.fr>, "bro" <bro at bro.org>
Envoyé: Vendredi 26 Octobre 2018 16:25:07
Objet: Re: unknown identifier for Notice::ACTION_EMAIL
Replace Address_Scan with Scan::Address_Scan and Port_Scan with Scan::Port_Scan and try again. You have to identify the module that those names are in.
________________________________
From: bro-bounces at bro.org <bro-bounces at bro.org> on behalf of Nicolas KRASINSKI <krasinski at cines.fr>
Sent: Friday, October 26, 2018 9:39:48 AM
To: bro at bro.org
Subject: [Bro] unknown identifier for Notice::ACTION_EMAIL
Message received from outside the Battelle network. Carefully examine it before you open any links or attachments.
Hello,
I want bro to send email when a note is seen.
I try adding these to local.bro :
redef Notice::emailed_types += {
Address_Scan,
Port_Scan,
};
hook Notice::policy(n: Notice::Info)
{
if (n$note in Notice::emailed_types)
add n$actions[Notice::ACTION_EMAIL];
}
Or this
hook Notice::policy(n: Notice::Info)
{
if (n$note == Address_Scan)
add n$actions[Notice::ACTION_EMAIL];
}
But when I do broctl check I have this error :
error in /usr/local/bro/share/bro/site/local.bro, line 13: unknown identifier Address_Scan, at or near "Address_Scan"
The script policy/misc/scan.bro is well loaded.
Thanks a lot !
Nicolas.
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181026/08ba8a4e/attachment.html
More information about the Bro
mailing list