bro alerts over email

1) I am unable to redefine variables sensitive_URIs
(policy/http-request.bro) and hot_files (policy/ftp.bro) in my site
policy file.

These are declared inside module scope, so you need <module>::<variable>
to access them. For example:

  redef HTTP::sensitive_URIs += /;

2B) local action = notice_action_filters[n$note](n)

gives the following error in info.log file and bro stops :

Oops, a bug. Patch appended.

in my site-policy file for getting email/page alert. If I understand it
correctly, I have to first put (etc) in Sensitive_URI list
to get bro generate an alert and then declare that particular alert
using the above $pred config in my site policy file. Right ?

Since this could lead to lot of $pred declearations, Is it possible to
have a formation like following for similar category of alerts :

/usr/local/bro/site/, line 157
(/^?(^.**$)$?/ || /^?(^.*lads.exe.*$)$?/): error, requires
boolean operands

One of the changes already in place for the next release is use of "||"
and "&&" for combining patterns, for exactly this sort of reason.


diff -Lpolicy/notice.bro -Lpolicy/notice.bro -u -r1.14 -r1.15
--- policy/notice.bro
+++ policy/notice.bro
@@ -181,13 +181,11 @@

-function email_notice(n: notice_info)
+function email_notice(n: notice_info, action: NoticeAction)
   if ( ! reading_live_traffic() || mail_dest == "" )

- local action = notice_action_filters[n$note](n);