reading_live_traffic() is defined in bro.bif.bro, but they way it was
being used there was
a race condition where it was not always being set correctly.
Minor clarification: this isn't a race condition in terms of not being
deterministic. Rather, the problem is that Bro doesn't know whether it's
reading live traffic until it finishes initializing global variables
(in particular, the "interfaces" variable); so a call to reading_live_traffic()
for a variable's initialization returns F even if later Bro determines
it indeed is going to be reading live traffic.
Mail notification via bro is working just fine (and fast) now. Thanks for all the input and help.
I would like to point a few more things which we had to add localy:
1) currently NOTICE_PAGE and NOTICE_EMAIL are independent actions so we had to do minor modifications in notice.bro
to be able to send an email as well when NOTICE_PAGE action takes place.
I think would be a good idea to have an email sent while NOTICE_PAGE action takes place.
2) Going back to reading_live_traffic()/mail notification issue :
Since,
(in particular, the "interfaces" variable); so a call to reading_live_traffic()
for a variable's initialization returns F even if later Bro determines
it indeed is going to be reading live traffic.
Not sure why we needed '!' in 'if (! mail_notification)' condition because mail_notification is returning false
irrespective of live_traffic capture or a tcpdump reply.