[Bro] ACTION_EMAIL and ACTION_EMAIL_ADMIN not working

Daytona Leo daytona.ryu at gmail.com
Mon Apr 13 14:50:13 PDT 2015


Hello Bros,

This message is in regards to getting the notification types ACTION_EMAIL
and ACTION_EMAIL_ADMIN to actually send an email.

I tried getting on IRC and noone replied, and I've tried everything.

First, let me say that I know bro can send emails with sendmail because
when bro crashes I get messages from my server and I've also tested
manually sending an email with sendmail.

I've been testing this with the Weak_Keys bro script to detect any SSL/TLS
keys that are less than 4096 length (so that it triggers on pretty much
every website)

./share/bro/policy/protocols/ssl/weak-keys.bro

my local.bro only contains:

@load policy/protocols/ssl/weak-keys.bro

The code added to weak-keys.bro at the end of the export section to enable
the email action is as follows:

        hook Notice::policy(n: Notice::Info)
        {
        if ( n$note == SSL::Weak_Key )
        add n$actions[Notice::ACTION_EMAIL_ADMIN];
        }

I can see in the notice.log that one of the listed actions for these
notices. Example from notice.log:

1428960187.772499       Cec6cr4QGk6SIcnxdb      192.168.1.15    60350
64.233.177.113  443     -       -       -       tcp     SSL::Weak_Key
Host uses weak certificate with 256 bit key        -       192.168.1.15
 64.233.177.113  443     -       bro
Notice::ACTION_EMAIL_ADMIN,Notice::ACTION_LOG   86400.000000    F       -
    -       -       - -

I've also tried this with ACTION_EMAIL and it still doesn't work.

Checking the /var/log/mail.log and mail.info looks like it is trying to
send emails but they aren't reaching my gmail.

Apr 13 14:40:59 brotector sendmail[21412]: t3DLewwo021412: to=
daytona.leo at gmail.com, ctladdr=root (0/0), delay=00:00:01, xdelay=00:00:00,
mailer=relay, pri=38033, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0,
stat=Sent (t3DLexYr021419 Message accepted for delivery)
Apr 13 14:41:00 brotector sm-mta[21426]: STARTTLS=client, relay=
aspmx.l.google.com., version=TLSv1/SSLv3, verify=FAIL,
cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128/128
Apr 13 14:41:01 brotector sm-mta[21426]: t3DLexYr021419: to=<
daytona.leo at gmail.com>, ctladdr=<root at brotector.brotector.bro> (0/0),
delay=00:00:02, xdelay=00:00:02, mailer=esmtp, pri=128310, relay=
aspmx.l.google.com. [64.233.177.26], dsn=2.0.0, stat=Sent (OK 1428961259
y62si5959254yhc.175 - gsmtp)

So perhaps it's being dropped for seeming like spam, but it does not arrive
in the spam folder. What I really don't understand is why the crash notices
will reach my inbox without issue.

Is there any way to fix this or maybe use an external SMTP authenticated
solution like mandrill? https://mandrillapp.com

I've tried everything and looked up so much information and watched tons of
videos. Countless hours spent. I really cant get the email alerts to work.

Any help is appreciated.

Thanks,

Daytona
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150413/71c74378/attachment.html 


More information about the Bro mailing list