Anthony Verez created BIT-1063:
----------------------------------
Summary: Patch for documentation
Key: BIT-1063
URL: https://bro-tracker.atlassian.net/browse/BIT-1063
Project: Bro Issue Tracker
Issue Type: Patch
Components: Website
Affects Versions: git/master
Reporter: Anthony Verez
I fixed examples, a link and a typing error in the docs for the git/master
version. Great docs btw ;-)
Patch:
diff --git a/doc/notice.rst b/doc/notice.rst
index 76d5bcd..b4b375c 100644
--- a/doc/notice.rst
+++ b/doc/notice.rst
@@ -98,9 +98,9 @@ type :bro:see:`SSH::Password_Guessing` if the server is
10.0.0.1:
.. note::
- Keep in mind that the semantics of the SSH::Password_Guessing notice are
- such that it is only raised when Bro heuristically detects a failed
- login.
+ Keep in mind that the semantics of the :bro:see:`SSH::Password_Guessing`
+ notice are such that it is only raised when Bro heuristically detects
+ a failed login.
Hooks can also have priorities applied to order their execution like events
with a default priority of 0. Greater values are executed first. Setting
@@ -339,7 +339,7 @@ included below.
hook Notice::policy(n: Notice::Info)
{
if ( n?$conn && n$conn?$http && n$conn$http?$host )
- n$email_body_sections[|email_body_sections|] = fmt("HTTP host header:
%s", n$conn$http$host);
+ n$email_body_sections[|n$email_body_sections|] = fmt("HTTP host
header: %s", n$conn$http$host);
}
@@ -348,7 +348,7 @@ Cluster Considerations
As a user/developer of Bro, the main cluster concern with the notice framework
is understanding what runs where. When a notice is generated on a worker, the
-worker checks to see if the notice shoudl be suppressed based on information
+worker checks to see if the notice should be suppressed based on information
locally maintained in the worker process. If it's not being
suppressed, the worker forwards the notice directly to the manager and does no
more
local processing. The manager then runs the :bro:see:`Notice::policy` hook and
diff --git a/doc/quickstart.rst b/doc/quickstart.rst
index 9f64e36..b5ac4ee 100644
--- a/doc/quickstart.rst
+++ b/doc/quickstart.rst
@@ -270,14 +270,11 @@ that only takes the email action for SSH logins to a
defined set of servers:
192.168.1.102,
} &redef;
- redef Notice::policy += {
- [$action = Notice::ACTION_EMAIL,
- $pred(n: Notice::Info) =
- {
- return n$note == SSH::Login && n$id$resp_h in watched_servers;
- }
- ]
- };
+ hook Notice::policy(n: Notice::Info)
+ {
+ if ( n$note == SSH::SUCCESSFUL_LOGIN && n$id$resp_h in watched_servers
)
+ add n$actions[Notice::ACTION_EMAIL];
+ }
You'll just have to trust the syntax for now, but what we've done is
first declare our own variable to hold a set of watched addresses,
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://bro-tracker.atlassian.net/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
