Hello all,
I am hooking into the notice framework to alert on hits from the intel framework. For a given hit I get multiple emails. I’d like to suppress the notice, but I am having a syntax issue. This is what I have that doesn’t work - what is the right syntax to add in a suppression interval of X minutes?
hook Notice::policy(n: Notice::Info)
{
if ( n$note == Intel::Notice && n?$src && !(n$src in intel_server_whitelist ) )
{
add n$actions[Notice::ACTION_EMAIL];
add n$suppress_for=5min;
}
}
Best Regards,
Derek