[Bro] SSH brute-force email notice
Loris Leiva
loris.leiva at gmail.com
Tue Feb 28 08:17:17 PST 2017
Thank you for your answer.
I have checked the logs during my scenario and when the email doesn’t send nothing get logs at all (not even on the bro stderr log). However, when I raise a dummy notice in a bro_init() event, then I receive the email and the email gets logged properly.
Note that I am using macOS Sierra so I access my logs through the following command `log stream --predicate '(process == "smtpd") || (process == "smtp")' -info`.
Any idea of what could be the problem ?
Thanks again,
Loris
On 28 Feb 2017, 16:01 +0100, Azoff, Justin S <jazoff at illinois.edu>, wrote:
>
> > On Feb 28, 2017, at 9:48 AM, Loris Leiva <loris.leiva at gmail.com> wrote:
>
> > What is going wrong:
> > Even though the notice is raised, I do not receive any emails.
> >
> > Hypothesis to eliminate:
> > - First of all, my broctl.cfg file is configured correctly and, if I raise a random notice in the `bro_init()` event, I successfully receive the email.
> > - I am also sure that the notice is being raise properly as a `notice.log` file gets generated with the relevant notice containing the `Notice::ACTION_EMAIL` action. I even hard-coded a print inside the module that raise the notice to make sure that this part of the code was run.
>
> If your notice.log mentioned ACTION_EMAIL but you did not get an email then you need to look at the bro stderr log and the mail log(/var/log/mail or such) for your machine.
>
> --
> - Justin Azoff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/ef97c9fe/attachment.html
More information about the Bro
mailing list