SMTP Plugin¶
The SMTP plugin provides the ability to send textual alerts via email.
Basic configuration example:
[smtp] sender = prelude@my.domain. recipients = recipient1@domain1, recipient2@domain2 smtp-server = smtp.my.domain
Templating mail content¶
By default, the SMTP plugin send mail containing the whole IDMEF event.
If you wish to send only a subset of the information, you may customize the content of the generated mail through several options:
You can define a specific subject to use for mail notification.
The subject can include information gathered from the event using IDMEF Path.
subject = Alert: $alert.classification.text
Additionally, you can provide a template for the message body of the mail notification.
As for the "subject" option, the template can include information gathered from the event using IDMEF Path.
template = /path/to/my/mail.template
Template file example:
*** * http://127.0.0.1:8000/?view=alert_summary&origin=alert_listing&analyzerid=$alert.analyzer(-1).analyzerid&messageid=$alert.messageid * $alert.classification.text : $alert.source(0).node.address(0).address -> $alert.target(0).node.address(0).address * * Create Time: $alert.create_time * Sensor: $alert.analyzer(-1).name - $alert.analyzer(-1).node.name - $alert.analyzer(-1).node.address(0).address * #if $alert.correlation_alert.name * [[CorrelationAlert]] name: $alert.correlation_alert.name #end if ***
CorrelationAlert handling¶
When a CorrelationAlert (an alert pointing to multiple, previously received, IDMEF Alerts) is received, the SMTP plugin provides you with the possibility to retrieve the Correlated Alerts (the alerts linked to the CorrelationAlert) from the database, and includes them in the generated email message.
You can also specify an email template for Correlated alert.
dbtype = mysql dbname = prelude dbuser = prelude dbpass = passwd dbhost = localhost correlated-alert-template = /path/to/my/mail.template