Alert Lists not working on 2.0.0 (Linux)

[fcgreg]

I have been putting release 2.0.0 through some functional testing with real-world data, using a Linux-based environment. After running multiple tests against the same evidence extraction, it appears that the Alert List functionality is not working. Results, repeated multiple times:

1. The special Alerts_found.txt file is not created.
2. Entries contained in the Alert List are confirmed to be in the evidence extraction and appear in the output feature files.

Environment notes:

• I am using a simple Alert List containing two entries: an email address and a bare domain name, both verified to appear in the source extraction multiple times.
• I am using BE version 2.0.0 compiled from source on a modern variant of Ubuntu 22.04 LTS.

Let me know how I can help figure this out. Thanks for the help!

Quick aside: I have noticed the Stop List functionality doesn't seem to be working, either--I have filed that as a separate issue.

[simsong]

Thank you. Do you need this functionality or did you simply notice that it is not present?

---

Sent from my phone.

On Jun 1, 2022, at 12:40 AM, Greg Tassone @.***> wrote:

 I have been putting release 2.0.0 through some functional testing with real-world data, using a Linux-based environment. After running multiple tests against the same evidence extraction, it appears that the Alert List functionality is not working. Results, repeated multiple times:

The special Alerts_found.txt file is not created. Entries contained in the Alert List are confirmed to be in the evidence extraction and appear in the output feature files. Environment notes:

I am using a simple Alert List containing two entries: an email address and a bare domain name, both verified to appear in the source extraction multiple times. I am using BE version 2.0.0 compiled from source on a modern variant of Ubuntu 22.04 LTS. Let me know how I can help figure this out. Thanks for the help!

Quick aside: I have noticed the Stop List functionality doesn't seem to be working, either--I have filed that as a separate issue.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[fcgreg]

Thanks again for the quick reply. For others following this: I posted more detailed info in issue #356 -- but I'll add some feature-specific notes here for completeness:

I sometimes use this feature and believe it is valuable. I would prioritize Stop Lists over this feature, but there are good uses for this one as well. I think the use-cases increase if BE is being integrated with other workflows. For example, if I'm scripting jobs against BE, I could pass an Alert List as command arguments to BE and have it search one or more extractions for the data. Then after successful job completion, I could test for the existence of non-comment entries in the resulting Alerts_Found.txt file(s) and proceed appropriately.

Currently I'm using this feature on v1.5.5 to produce the Alerts_Found.txt file as a simple forensic artifact/report.

[simsong]

For what you are doing, regular stop lists is fine.

Context-sensitive stop lists are for situations where you might be trying to find all of the email addresses in a collection but you don't want to trigger on an email address that is part of the Linux distribution. If you stop list the Linux email addresses, you won't find out if one of the Linux developers is also exchanging email with a target of interest in your collection. It's a weird case. On the other hand, it prevents the Linux developers from selling their email addresses on the secondary market.