[Zeek] Multiple email recipients

[Nicolas KRASINSKI]

Can somebody help me ? 

I tried to put 
const mail_dest = "user at domain.com" &redef; 
in /framework/notice/main.bro 
or my local.bro 
but nothing work, 

I tried also to put in my script 
redef Notice::mail_dest = "user at domain.com"; 
but nothing work, 

How can I send ACTION_ALARM to the email of "mail_dest" ? 

I'm realy lost... 

Thanks in advance, 

Nicolas. 


De: "krasinski" <krasinski at cines.fr> 
À: "zeek" <zeek at zeek.org> 
Envoyé: Jeudi 7 Février 2019 17:08:47 
Objet: Re: [Zeek] Multiple email recipients 

Hello, 

I found "Notice::mail_dest", 
So I define this in my script : 

redef Notice::mail_dest = "user at domain.com"; 
redef Notice::emailed_types += { SSH::Password_Guessing, }; 
hook Notice::policy(n: Notice::Info) { 
if ( n$note == SSH::Password_Guessing ) 
add n$actions[Notice::ACTION_EMAIL]; } 

It doesn't work... the alert is always sent to the default email in broctl.cfg. 
I see in documentation : "Note this is overridden by the BroControl MailTo option." 

Do you how I can use ' mail_dest' option correctly ? 

Thanks 

Nicolas. 


De: "krasinski" <krasinski at cines.fr> 
À: "zeek" <zeek at zeek.org> 
Envoyé: Mardi 5 Février 2019 15:34:35 
Objet: [Zeek] Multiple email recipients 

Hello, 

Is there a way ton have multiple recipient of the Bro alerts ? 
I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients... 
Could define this directly in my script or in brotctl.cfg or others ? 

Thanks in advance for your help 

Nicolas 

_______________________________________________ 
Zeek mailing list 
zeek at zeek.org 
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek 

_______________________________________________ 
Zeek mailing list 
zeek at zeek.org 
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190214/081d3fcc/attachment.html