bro email scripts

Hello all,

I am working on getting the email reports and alarms working in BRO, and
I am having to do a bit of hacking to modify it to use ssmtp instead of
sendmail. However in the process I have noticed a few things which I
figured I should ask about before I go too far.

1. There is the mail_notice.sh script in the scripts dir which
references the body of the alarm being in /tmp/bro.notice.$$, however I
can't find this file being created anywhere in the notice policy.
2. I don't see this script getting called anywhere in the notice policy
either, instead the mail_script var was declared as /bin/mail, which
doesn't work.

This leaves me with the following question: in the notice-policy file
what var contains the text of the alarm? If I can know that then I will
be able to figure how to pipe it to where I want it. I am assuming that
email system in this release is not actually broken, it is just my
installation.

Thanks,
Steve

Smith, Stephen G., OIG DoD wrote:

Hello all,

I am working on getting the email reports and alarms working in BRO, and
I am having to do a bit of hacking to modify it to use ssmtp instead of
sendmail. However in the process I have noticed a few things which I
figured I should ask about before I go too far.

1. There is the mail_notice.sh script in the scripts dir which
references the body of the alarm being in /tmp/bro.notice.$$, however I
can't find this file being created anywhere in the notice policy.

That script is actually old and no longer used.

2. I don't see this script getting called anywhere in the notice policy
either, instead the mail_script var was declared as /bin/mail, which
doesn't work.

If you redef "mail_script" to the location of mail on your system, and
also redef "mail_dest" to a valid email address, this should work.

This leaves me with the following question: in the notice-policy file
what var contains the text of the alarm? If I can know that then I will
be able to figure how to pipe it to where I want it. I am assuming that
email system in this release is not actually broken, it is just my
installation.

See line 215 in notice.bro. The text of the mail message comes from n$note.

For debugging, I always add this line to the end of the email_notice()
routine in notice.bro:
   print mail_cmd;

This way you can verify that email_notice() is in fact being called, and
you can try running the script by hand to verify that its working
correctly. These print statements will end up in the "info.log" file.

Hope this helps.