Issue defining "Site::local_admins" variable

Zeek
1

Good morning,

I’m working on email separation between users and admins on my local Bro instance and I’m not understanding the syntax for either the “Site::get_emails” or the “Site::local_admins” variables for ACTION_EMAIL_ADMIN. Since I avoid functions, I attempted to redefine the following in my local.bro:

redef Site::local_admins += {
table([xxx.xxx.xxx.xxx/16] = “emailaddress1@something.com,emailaddress2@something.com”);
};

Reference: https://www.bro.org/sphinx/scripts/base/utils/site.bro.html#id-Site::local_admins

Bro doesn’t like this and I’m unable to find previous examples for guidance. Could someone point me in the right direction?

Thanks,

2

It's a table of a set of strings:

scripts/base/utils/site.bro: const local_admins: table[subnet] of set[string] = {} &redef;

$ git grep redef.*local_admins
testing/btest/scripts/base/utils/site.test:redef Site::local_admins += {
$ cat testing/btest/scripts/base/utils/site.test
# @TEST-EXEC: bro %INPUT > output
# @TEST-EXEC: btest-diff output

# This is loaded by default.
#@load base/utils/site

global a = { "site-admin@example.com", "other-site-admin@example.com" };
global b = { "net-admin@example.com" };

redef Site::local_admins += {
    [141.142.0.0/16] = a,
    [141.142.100.0/24] = b,
};

event bro_init()
    {
    print Site::get_emails(141.142.1.1);
    print Site::get_emails(141.142.100.100);
    }
$

3

Thanks Justin. That worked. :slight_smile:

Out of curiosity, what does the “print Site::get_emails()” statement do?

4

## Function that returns a comma-separated list of email addresses
    ## that are considered administrators for the IP address provided as
    ## an argument.
    ## The function inspects :bro:id:`Site::local_admins`.
    global get_emails: function(a: addr): string;

5

I see. Thanks again.

6

For context on this functionality, it was written for Universities with distributed administrators for all of the networks. It was written so I could load the database of network admins into Bro and have it email the responsible party automatically.

  .Seth