[Bro] re: Alternative from addresses in emails (diff output, and fixed)
by Mcclelland-Bane, Randy
See below for diff -u output. This is based on the development branch
0.9a9. The last message I sent had a bug where the "To:" address wasn't
set so sometimes the messages arrived to "Undisclosed recipients." That
is fixed now.
These will be helpful for those of you who want a configurable FROM:
address, or the ability to send a mix of encrypted/plaintext reports.
The first patch converts the bro report/notice mailing scripts and
config file to use sendmail instead of mail. This allows the
configuration of BRO_EMAIL_FROM in bro.cfg, which specifies the From:
address on outgoing messages.
The second patch expands on the first patch slightly and adds in a failover
mode in the mail_reports.sh script which will send plaintext if the gpg process fails.
I put this in so that you could have some copies of the reports encrypted if you had the
public key for the recipient, and leave others in plaintext if the key did not exist.
There should be a more elegant way to check if public key exists and do the checking that
way. Right now I'm just basing it off the process failing, but it should do key checking.
* Be very careful with the second patch one as you could be sending plaintext when you
don't wish it if you have errors with gpg keys, etc. *
You can add in the second patch on top of the first one, but don't try it by itself.
To apply either of these do:
cd /path/to/bro-tar-unpacked/scripts
patch < patchfile
Cheers,
Randy
## BEGIN FIRST PATCH
--- bro.cfg.example 2004-12-03 09:37:44.000000000 -0800
+++ ../../BRO/bro.cfg.example 2005-07-26 14:47:56.000000000 -0700
@@ -106,6 +106,9 @@
# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="bro@localhost"
+# Email address to send from
+BRO_EMAIL_FROM="bro@localhost"
+
# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="NO"
--- bro_config.in 2005-02-09 00:22:02.000000000 -0800
+++ ../../BRO/bro_config.in 2005-07-26 14:47:56.000000000 -0700
@@ -334,6 +334,9 @@
# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="${BRO_EMAIL_LOCAL:-NO}"
+# Email address to send from
+BRO_EMAIL_FROM="${BRO_EMAIL_FROM:-$BRO_EMAIL_LOCAL}"
+
# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="${BRO_EMAIL_EXTERNAL:-NO}"
export BRO_EMAIL_EXTERNAL
--- mail_notice.sh 2004-12-17 15:03:47.000000000 -0800
+++ ../../BRO/mail_notice.sh 2005-07-27 16:59:55.000000000 -0700
@@ -2,5 +2,26 @@
#
# This is a sample script to provide basic email notification for
# notices marked NOTICE_EMAIL .
+# Usage: mail_notice "subject" recipient (optional config path)
-mail -s "Bro alarm: $1" $2
+notice="/tmp/bro.notice.$$"
+
+# Clean up after ourselves
+trap "rm -f $notice; exit" 1 2 15
+
+# where are we located
+base=`dirname $0`
+
+#set up the environment
+if [ $3 ] ; then
+ . $3
+else
+ . $base/../etc/bro.cfg
+fi
+
+echo "From:<$BRO_EMAIL_FROM>" > $notice
+echo "To:<$2>" >> $notice
+echo "Subject: Bro alarm: $1" >> $notice
+
+cat $notice | sendmail -oi -f $BRO_EMAIL_FROM $2
+rm -f $notice
--- mail_reports.sh 2004-12-09 15:26:19.000000000 -0800
+++ ../../BRO/mail_reports.sh 2005-07-27 18:40:41.000000000 -0700
@@ -6,8 +6,12 @@
#
# Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg)
+gpg_error=""
+sent_message=""
+tmp_file="/tmp/bro.report.$$"
+
# Clean up after ourselves
-trap "rm /tmp/bro.report.$$; exit" 1 2 15
+trap "rm $tmp_file; exit" 1 2 15
# where are we located
base=`dirname $0`
@@ -23,25 +27,40 @@
report=`ls -1t $BRO_REPORT_DIR/local/$BRO_SITE_NAME*.rpt | head -1`
report_interval=`grep Report $report | awk '{print $6,"-",$9}'`
+# set up temporary report with subject line embedded
+report_subject="Subject: $BRO_HOSTNAME Report: $report_interval"
+
# and email it
# if encrypted make sure we have a good (gpg) bin and keys
if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then
if [ -x $BRO_GPG_BIN ] ; then
- for recpt in $BRO_EMAIL_LOCAL ; do
- cat $report | $BRO_GPG_BIN --yes -ea -r $recpt|mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt
+ for recpt in $BRO_EMAIL_LOCAL ; do
+ echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+ echo "To: <$recpt>" >> $tmp_file
+ echo "$report_subject" >> $tmp_file
+ cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
+ cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
done
+ sent_message="1"
+ rm $tmp_file
else
- echo "Invalid gpg bin $BRO_GPG_BIN" > /tmp/bro.report.$$
+ gpg_error="1"
fi
-else # not ENCRYPTED
- cat $report > /tmp/bro.report.$$
fi
# if there was an error or we are sending unencrypted ...
-if [ -r /tmp/bro.report.$$ ] ; then
+if [ -z $sent_message ] ; then
for recpt in $BRO_EMAIL_LOCAL ; do
- cat /tmp/bro.report.$$ | mail -s "$BRO_HOSTNAME Report: $report_interval" $recpt
+ echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
+ echo "To: <$recpt>" >> $tmp_file
+ echo "$report_subject" >> $tmp_file
+ cat $report >> $tmp_file
+ if [ $gpg_error ] ; then
+ echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file
+ fi
+ cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
done
- rm /tmp/bro.report.$$
+ rm $tmp_file
fi
exit 0
+
## BEGIN SECOND PATCH
--- mail_reports.sh 2005-07-27 18:40:41.000000000 -0700
+++ mail_reportsMIX.sh 2005-07-27 18:40:29.000000000 -0700
@@ -39,6 +39,13 @@
echo "To: <$recpt>" >> $tmp_file
echo "$report_subject" >> $tmp_file
cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
+ # If the encryption fails, send it unencrypted
+ if [ $? -ne 0 ] ; then
+ echo "From:<$BRO_EMAIL_FROM>" > $tmp_file
+ echo "To: <$recpt>" >> $tmp_file
+ echo "$report_subject" >> $tmp_file
+ cat $report >> $tmp_file
+ fi
cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
done
sent_message="1"