Email Notice Suppression

Scotty_Brown · August 31, 2015, 11:45pm

Hi All,

I'm running bro 2.4 and have just added a bunch of critical stack intel
feeds. All is working well.

One of the feeds I have is a list of TOR ips, and once I set notices to
true for the critical stack intel I start getting emails (I've set up
email alerting for notices).

What I would like to do is suppress email alerts for a particular notice
from a particular src host.

ie (intel.log):

1441063489.889373 CEyDP6zbg6ngOFFa 10.10.10.10 45969
213.163.70.234 443 - - - 213.163.70.234
Intel::ADDR Conn::IN_RESP sensor-eth1-1 from
https://www.dan.me.uk/torlist/ via intel.criticalstack.com

So any notice that fires from src 10.10.10.10 for the torlist intel -
I'd still like to see the notice in the intel file - but not get the
email alert.

Any pointers?

Cheers,

Scotty

Jan_Grashoefer · September 1, 2015, 9:03am

Hi Scotty,

have a look at automated suppression and the Notice::policy hook (https://www.bro.org/sphinx-git/frameworks/notice.html#automated-suppression and https://www.bro.org/sphinx-git/frameworks/notice.html#extending-notice-framework).

If you use the do_notice script that comes with Bro, you want to add an identifier to the notice, to get automated suppression.

Best regards,
Jan

Topic		Replies	Views
Bro email notice question Zeek	8	78	May 6, 2022
Two questions Zeek	2	159	May 6, 2022
Basic Alerts/Email questions Zeek	4	129	May 6, 2022
bro intel notice log Zeek	3	70	May 6, 2022
Intel Framework, Notices, and sending out emails Zeek	3	75	May 6, 2022

Email Notice Suppression

Related Topics