Good morning,
I’m working on email separation between users and admins on my local Bro instance and I’m not understanding the syntax for either the “Site::get_emails” or the “Site::local_admins” variables for ACTION_EMAIL_ADMIN. Since I avoid functions, I attempted to redefine the following in my local.bro:
redef Site::local_admins += {
table([xxx.xxx.xxx.xxx/16] = “emailaddress1@something.com,emailaddress2@something.com”);
};
Reference: https://www.bro.org/sphinx/scripts/base/utils/site.bro.html#id-Site::local_admins
Bro doesn’t like this and I’m unable to find previous examples for guidance. Could someone point me in the right direction?
Thanks,
It's a table of a set of strings:
scripts/base/utils/site.bro: const local_admins: table[subnet] of set[string] = {} &redef;
$ git grep redef.*local_admins
testing/btest/scripts/base/utils/site.test:redef Site::local_admins += {
$ cat testing/btest/scripts/base/utils/site.test
# @TEST-EXEC: bro %INPUT > output
# @TEST-EXEC: btest-diff output
# This is loaded by default.
#@load base/utils/site
global a = { "site-admin@example.com", "other-site-admin@example.com" };
global b = { "net-admin@example.com" };
redef Site::local_admins += {
[141.142.0.0/16] = a,
[141.142.100.0/24] = b,
};
event bro_init()
{
print Site::get_emails(141.142.1.1);
print Site::get_emails(141.142.100.100);
}
$
Thanks Justin. That worked. 
Out of curiosity, what does the “print Site::get_emails()” statement do?
## Function that returns a comma-separated list of email addresses
## that are considered administrators for the IP address provided as
## an argument.
## The function inspects :bro:id:`Site::local_admins`.
global get_emails: function(a: addr): string;
For context on this functionality, it was written for Universities with distributed administrators for all of the networks. It was written so I could load the database of network admins into Bro and have it email the responsible party automatically.
.Seth