bro alerts over email

Hello All :

Thanks for the clearing questions in the last email. I need some more
clarifications about email alert generations using bro. I thank you for
your time and help.

I am writing this email in the order alert generation need to be
configured on bro (I think).

1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file. Right now I am adding all my sensitive_URI's and ftp hot
files into the corresponding policy files.
export {
        const sensitive_URIs =

[ policy/http-request.bro; lines 9+ ]

export {
        # Indexed by source & destination addresses and the id.
        const skip_hot: set[addr, addr, string] &redef;

        const hot_files =

[from policy/ftp.bro; lines 12+ ]

So, How do I redef these variables (which are 'export { const ' declared
in the policy files in my site/policy.bro file ?

2) In-order to send emails from bro I had to comment out the following
from notice.bro file :

# if ( ! mail_notification ) ----------------------- (2A)
# return;

# local action = notice_action_filters[n$note](n); --------- (2B)

        # Choose destination address based on action type.
# local destination = (action == NOTICE_EMAIL) ?
# mail_dest : mail_page_dest;
local destination = mail_dest ;

2A) I think 'if (! mail_notification)' condition is not holding true at
all. I see the following definition

../policy/notice.bro:global mail_notification = reading_live_traffic()


../policy/bro.bif.bro:global reading_live_traffic: function(): bool;

I don't see reading_live_traffic function defined anywhere? Do I need to
redef reading_live_traffic() function.

If yes, should it be in the site policy file ? Would its value affect
other policy files ? (its used in conn.bro, load-level.bro and

2B) local action = notice_action_filters[n$note](n)

gives the following error in info.log file and bro stops :

1111094454.266502 /usr/local/bro/policy/notice.bro, line 193
(notice_action_filters[n$note]): run-time error, no such index
1111094454.266502 /usr/local/bro/policy/notice.bro, line 196 (action):
run-time error, value used but not set

Commenting the action variable makes email work fine but I am not sure
how other things would be affected due to this.

3) Finally declaring sensitive_URI's in (1) and commenting (2) I am
getting email notifications working on bro. As suggested
I am declaring, for example :

     [$pred(n: notice_info) =
                         return n?$URL && n$URL == /^.**$/ ;
                 $result = NOTICE_EMAIL,
                 $priority = 4],

in my site-policy file for getting email/page alert. If I understand it
correctly, I have to first put (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ?

Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts :

/usr/local/bro/site/, line 157
(/^?(^.**$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
boolean operands

which is, obviously, errornous right now.

4) I checked again and file comes as part of bro tarball
and is available in bro-09a8/scripts folder. However, after running make
install-brolite it does not get copied over to /usr/local/bro/scripts. I
thought should let you know this.

I appriciate all the help here.

Thanks a lot.

Aashish Sharma

I can answer question #2A. Someone else will have to handle #1, #2B, and #3.

I noticed and fixed the problem you are referring to a couple weeks ago.
We changed the beginning of function "email_notice" to be:

         if ( ! reading_live_traffic() || mail_dest == "" )

where mail_dest is defined at the beginning of the file as:
global mail_dest = "" &redef;

Then to you need to set mail_dest in your site policy file.

reading_live_traffic() is defined in bro.bif.bro, but they way it was being used there was
a race condition where it was not always being set correctly.