question about send_email_notice

Bro users and developers,

We have modified our notice action filters; some notices/alerts get sent
via email (while others only get logged to file_notice).

A small snippet:

redef notice_action_filters += {
[[AddressScan, PortScan, PasswordGuessing ]] = send_email_notice,

redef notice_action_filters += {
[[ProtocolDetector::ProtocolFound, ProtocolDetector::ServerFound ]] =

My question is: Is it easily possible to place additional information in
the email notices themselves?

For example, an AddressScan mail might simply say, " has
scanned 100 hosts (45653/tcp)". It would save a log of analyst time
("grep time" if you will) if the mail included the hosts which were
considered scanned by Bro.

Matt Cuttler

My solution to this was to modify the email_notice function in
notice.bro as follows:

function email_notice(n: notice_info, action: NoticeAction,
    info: string)
        if ( ! reading_live_traffic() || mail_dest == "" )

        # Choose destination address based on action type.
        local destination = (action == NOTICE_EMAIL) ?
                mail_dest : mail_page_dest;
        local mail_cmd = "";

        if (detailed_email)
           # this version assumes script to generate more detailed Alarm
           mail_cmd = fmt("echo \"%s\" \| %s %s", info,
    mail_script, destination);
        else # this version assumes simple Alarm sent
        # directly to Mail command

           mail_cmd = fmt("echo \"%s\" | %s -s \"[Bro Alarm] %s\" %s",
                           n$msg, mail_script, n$note, destination);