Two questions

Zeek
1

I setup a Bro instance on a Raspberry Pi3 with an WLAN monitor interface, for IDS home use.

I got notices and with the

hook Notice::policy(n: Notice::Info)
         {
         add n$actions[Notice::ACTION_EMAIL];
         }

config (example from the mailing list) into my local.bro.I got notices by mail. Works fine.

I also installed critical stack intel feeds, and when I see an Intel file created when I test a banned ip address.

I am new to Bro and have no knowlegde about Bro configuration and scripting language. But I want to make a quickstart

I have two questions:

1: How can the intel also get mailed, when an intel event occurs?
I tried

redef Notice::emailed_types += {
         HTTP::IN_HOST_HEADER,
};

Config check is ok but after triggering an intel event I got no mail.

2: I want to incorporate a Bash curl script send alerts to other systems when a notice or an intel event occurs. How to accomplish this?

Thanks in advance.

2

Hi,

1: How can the intel also get mailed, when an intel event occurs?
I tried

redef Notice::emailed_types += {
         HTTP::IN_HOST_HEADER,
};

HTTP::IN_HOST_HEADER actually is not a notice type; it is a location of
the Intel framework. Try using Intel::Notice instead, that should work.

2: I want to incorporate a Bash curl script send alerts to other systems when a notice or an intel event occurs. How to accomplish this?

You probably want to use the exec framework -
https://www.bro.org/sphinx/scripts/base/utils/exec.bro.html.

I hope this helps,
Johanna