1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file.
These are declared inside module scope, so you need <module>::<variable>
to access them. For example:
redef HTTP::sensitive_URIs += /rootdown.pl/;
2B) local action = notice_action_filters[n$note](n)
gives the following error in info.log file and bro stops :
Oops, a bug. Patch appended.
in my site-policy file for getting email/page alert. If I understand it
correctly, I have to first put rootdown.pl (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ?Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts :/usr/local/bro/site/hail.ncsa.uiuc.edu.bro, line 157
(/^?(^.*rootdown.pl.*\)?/ || /^?(^.*lads.exe.*\)?/): error, requires
boolean operands
One of the changes already in place for the next release is use of "||"
and "&&" for combining patterns, for exactly this sort of reason.
Vern
diff -Lpolicy/notice.bro -Lpolicy/notice.bro -u -r1.14 -r1.15
--- policy/notice.bro
+++ policy/notice.bro
@@ -181,13 +181,11 @@
}
}
-function email_notice(n: notice_info)
+function email_notice(n: notice_info, action: NoticeAction)
{
if ( ! reading_live_traffic() || mail_dest == "" )
return;
- local action = notice_action_filters[n$note](n);