Bro 2.5/2.6 on FIPS-enabled Host

I have tried my Google-fu far and wide, but I have not found a
solution yet to operate Bro on a FIPS-enabled host. When FIPS is
enabled via the kernel, Bro refuses to start because of its use of
MD5. Any assistance in the matter would be appreciated.

- Stephen

Hi Stephen,

a pull request about this was actually just merged; see and

This will be in the 2.7 version once it is released. For 2.6 and earlier, the easiest is probably to set the magic “MD5 is allowed” environment variable that most distributions that I know offer and to note in your security policy that this is ok because Zeek does not use MD5 for security, only to output hash information.



Thank you. This has put me in the right direction.

- Stephen


Is there a way ton have multiple recipient of the Bro alerts ?
I have a script that sends emails for 5 alerts. I would like to send some alerts to some different recipients...
Could define this directly in my script or in brotctl.cfg or others ?

Thanks in advance for your help



I found “Notice::mail_dest”,
So I define this in my script :

redef Notice::mail_dest = “”;
redef Notice::emailed_types += { SSH::Password_Guessing, };
hook Notice::policy(n: Notice::Info) {
if ( n$note == SSH::Password_Guessing )
add n$actions[Notice::ACTION_EMAIL]; }

It doesn’t work… the alert is always sent to the default email in broctl.cfg.
I see in documentation : “Note this is overridden by the BroControl MailTo option.”

Do you how I can use ‘mail_dest’ option correctly ?



Can somebody help me ?

I tried to put

const mail_dest = “” &redef;
in /framework/notice/main.bro

or my local.bro
but nothing work,

I tried also to put in my script
redef Notice::mail_dest = “”;
but nothing work,

How can I send ACTION_ALARM to the email of “mail_dest” ?

I’m realy lost…

Thanks in advance,


If you are using BroControl, have you tried setting the MailTo option
and/or MailAlarmsTo option in broctl.cfg ? As you saw from the
documentation, those take precedence over values defined in scripts.

- Jon

Thanks, It works fine with MailAlarmsTo in broctl.cfg.
But MailAlarmsTo works with ACTION_ALARM and send only alarm summary mails, not directly the alarm...

Thank you,