bro email notifications

Hi all,

I am working with the DNS module, and trying change the notification for
some of the alerts. Specifically, I would like to set the
SensitiveDNS_Lookup alarm to NOTICE_EMAIL rather than
NOTICE_ALARM_ALWAYS as is default. I got that name for the event by
parsing the alarm file and looking at the events from the dns module.
Following the example in Sec6.3 of the User Manual I put

<snip>
redef notice_action_filters += {
[[SensitiveDNS_Lookup]] = send_email_notice,
};
</snip>

in my local.site.bro file. However when trying to start that gives me

<snip>
BRO# ../etc/bro.rc start
bro.rc: Running as non-root user bro
bro.rc: Starting ..........bro.rc: Failed to start Bro
/usr/local/bro/site/local.site.bro, line 21: error: unknown identifier
SensitiveDNS_Lookup, at or near "SensitiveDNS_Lookup"
... FAILED
</snip>

Any ideas? Please let me know if there is any more info I should
provide.

Thanks,
Steve

If you look at dns.bro, you will see:

module DNS;

This means you must append "DNS::" to all variable defined there. ie:
DNS::SensitiveDNS_Lookup

Smith, Stephen G., OIG DoD wrote: