[Bro] SSH brute-force email notice

[Loris Leiva]

Hello,

First of all, I am really grateful for Bro and its easy scripting. I have been using Bro in the context of my master thesis and had lots of fun using it.

I am contacting you today as I have encountered a problem that none of my google researching skills could solve. Let me try and describe it clearly.

What I am trying to acheive:
I am using the pcap file available at https://www.bro.org/static/traces/ssh.pcap to simulate a SSH::Password_Guessing notice using the command `broctl process`. My goal is simply to make Bro send me an email when such a notice is raised.

What is going wrong:
Even though the notice is raised, I do not receive any emails.

Hypothesis to eliminate:
- First of all, my broctl.cfg file is configured correctly and, if I raise a random notice in the `bro_init()` event, I successfully receive the email.
- I am also sure that the notice is being raise properly as a `notice.log` file gets generated with the relevant notice containing the `Notice::ACTION_EMAIL` action. I even hard-coded a print inside the module that raise the notice to make sure that this part of the code was run.

What I have tried:
- redefining Notice::emailed_types
- redefining Notice::alarmed_types
- adding a Notice::policy hook containing `add n$actions[Notice::ACTION_EMAIL];`

I hope that my problem description helps. I am really struggling to understand this behaviour and cannot find similar problems online.

Please do not hesitate to contact me should you need additional information.

Thank you in advance for your support,

Best regards,
Loris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/d10ffa57/attachment-0001.html