bro email notifications

Hi all,

I am working with the DNS module, and trying change the notification for
some of the alerts. Specifically, I would like to set the
SensitiveDNS_Lookup alarm to NOTICE_EMAIL rather than
NOTICE_ALARM_ALWAYS as is default. I got that name for the event by
parsing the alarm file and looking at the events from the dns module.
Following the example in Sec6.3 of the User Manual I put

redef notice_action_filters += {
[[SensitiveDNS_Lookup]] = send_email_notice,

in my file. However when trying to start that gives me

BRO# ../etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/, line 21: error: unknown identifier
SensitiveDNS_Lookup, at or near "SensitiveDNS_Lookup"

Any ideas? Please let me know if there is any more info I should


If you look at dns.bro, you will see:

module DNS;

This means you must append "DNS::" to all variable defined there. ie:

Smith, Stephen G., OIG DoD wrote: