1) currently NOTICE_PAGE and NOTICE_EMAIL are independent actions so we had to do minor modifications in notice.bro
to be able to send an email as well when NOTICE_PAGE action takes place.I think would be a good idea to have an email sent while NOTICE_PAGE action takes place.
Yes, we agree. I've added this to the to-do list. Not sure how quickly
it'l be done, though (since the right way to do it is to allow the user
to specify either one, or the other, *or* both, and that sort of flexiblity
doesn't fit with the current exclusive-action model).
Not sure why we needed '!' in 'if (! mail_notification)' condition because mail_notification is returning false
irrespective of live_traffic capture or a tcpdump reply.
Well, that was a bug, per the earlier discussion. In any case, it's gone
with the upcoming 0.9a9 release.
Vern