[Bro] SSH brute-force email notice
Loris Leiva
loris.leiva at gmail.com
Tue Feb 28 14:05:19 PST 2017
Oh thank you so much, it all makes sense now.
Do you know if there is a way for me to enable this feature with PCAP or an alternative? I would like to simulate a scenario using a big PCAP file for a presentation and it would be great if it could generate emails.
On 28 Feb 2017, 23:03 +0100, Seth Hall <seth at icir.org>, wrote:
> Email sending is automatically disabled if you are reading from a PCAP. It only works when live traffic is being read. I believe this was originally intended to avoid people hammering themselves with email on accident when analyzing a PCAP.
>
> .Seth
>
> > On Feb 28, 2017, at 12:31 PM, Loris Leiva <loris.leiva at gmail.com> wrote:
> >
> > So I have done more tests and here are my findings.
> >
> > First of all, I added the Notice::policy hook so that every notice gets sent via email (in order not to worry about accepting the right type of notice). Then I tried different ways to launch the `ssh.pcap` with bro.
> >
> > - `broctl process ssh.pcap -C` => outputs the notice with ACTION_EMAIL but does not send the email (no stderr.log nor email log).
> > - `bro -r ssh.pcap local "Site::local_nets += { … }" -C` => same output, no emails.
> >
> > However, if I just start bro via broctl and let it run, I start receiving random notices via emails regarding my laptop’s connections. I haven’t been able to reproduce a SSH brute-force attack but I assume it would work that way.
> >
> > So I am starting to wonder if the commands `bro` and `broctl process` are actually able to send emails. Any ideas on that ?
> >
> > Thanks in advance for your help,
> > Loris
> >
> >
> >
> > On 28 Feb 2017, 17:27 +0100, Loris Leiva <loris.leiva at gmail.com>, wrote:
> > > Yes sorry I meant no errors get logs but weirdly I still get my notice.log entry with Notice::ACTION_EMAIL in it.
> > >
> > > On 28 Feb 2017, 17:24 +0100, Azoff, Justin S <jazoff at illinois.edu>, wrote:
> > > >
> > > > > On Feb 28, 2017, at 11:17 AM, Loris Leiva <loris.leiva at gmail.com> wrote:
> > > > >
> > > > > Thank you for your answer.
> > > > >
> > > > > I have checked the logs during my scenario and when the email doesn’t send nothing get logs at all (not even on the bro stderr log). However, when I raise a dummy notice in a bro_init() event, then I receive the email and the email gets logged properly.
> > > >
> > > > Nothing gets logged at all? not even to notice.log?
> > > >
> > > > >
> > > > > Note that I am using macOS Sierra so I access my logs through the following command `log stream --predicate '(process == "smtpd") || (process == "smtp")' -info`.
> > > > >
> > > > > Any idea of what could be the problem ?
> > > > >
> > > > > Thanks again,
> > > > > Loris
> > > >
> > > > --
> > > > - Justin Azoff
> > > >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170228/dfaf078b/attachment-0001.html
More information about the Bro
mailing list