4.3 Sending (E-mail) Bro Reports
A daily 'internal' report is created that covers three sets of
information:
- Incident information
- Operational status of Bro
- General network traffic information
If the local organization is asked to report incidents to another
incident analysis organization (i.e. CERT, CIAC, FedCIRC, etc.) an
auxiliary 'external' report can be created that only contains the
incident information. These reports are stored in $BRODIR/reports.
The two reports will be mailed to the e-mail addresses specified during
Bro installation. These e-mail addresses can be changed by re-running
the bro_config script or by editing $BROHOME/etc/bro.cfg directly. Each
report has it's own set of e-mail addresses. If it is desired to send
the auxiliary report directly to the external incident analysis
organization without inspection, enter their e-mail address directly.
Otherwise, have the external e-mail sent to someone who can inspect and
forward it appropriately.