Hello,
First of all, I am really grateful for Bro and its easy scripting. I have been using Bro in the context of my master thesis and had lots of fun using it.
I am contacting you today as I have encountered a problem that none of my google researching skills could solve. Let me try and describe it clearly.
What I am trying to acheive:
I am using the pcap file available at https://www.bro.org/static/traces/ssh.pcap to simulate a SSH::Password_Guessing notice using the command `broctl process`. My goal is simply to make Bro send me an email when such a notice is raised.
What is going wrong:
Even though the notice is raised, I do not receive any emails.
Hypothesis to eliminate:
- First of all, my broctl.cfg file is configured correctly and, if I raise a random notice in the `bro_init()` event, I successfully receive the email.
- I am also sure that the notice is being raise properly as a `notice.log` file gets generated with the relevant notice containing the `Notice::ACTION_EMAIL` action. I even hard-coded a print inside the module that raise the notice to make sure that this part of the code was run.
What I have tried:
- redefining Notice::emailed_types
- redefining Notice::alarmed_types
- adding a Notice::policy hook containing `add n$actions[Notice::ACTION_EMAIL];`
I hope that my problem description helps. I am really struggling to understand this behaviour and cannot find similar problems online.
Please do not hesitate to contact me should you need additional information.
Thank you in advance for your support,
Best regards,
Loris
If your notice.log mentioned ACTION_EMAIL but you did not get an email then you need to look at the bro stderr log and the mail log(/var/log/mail or such) for your machine.
There is sample code here:
https://www.bro.org/sphinx/scripting/index.html#raising-notices
But, I myself would love to see a full example...it's one of the things that often confuses me about bro; most of the time there's snippets of code in the documentation, but I struggle to find a full on setup...maybe I'm missing something. If someone can post something step by step and what to add where I'll add it to my brofaq here:
https://github.com/DigiAngel/brofaq
James
Thank you for your answer.
I have checked the logs during my scenario and when the email doesn’t send nothing get logs at all (not even on the bro stderr log). However, when I raise a dummy notice in a bro_init() event, then I receive the email and the email gets logged properly.
Note that I am using macOS Sierra so I access my logs through the following command `log stream --predicate '(process == "smtpd") || (process == "smtp")' -info`.
Any idea of what could be the problem ?
Thanks again,
Loris
Thank you for your answer.
I have checked the logs during my scenario and when the email doesn’t send nothing get logs at all (not even on the bro stderr log). However, when I raise a dummy notice in a bro_init() event, then I receive the email and the email gets logged properly.
Nothing gets logged at all? not even to notice.log?
Yes sorry I meant no errors get logs but weirdly I still get my notice.log entry with Notice::ACTION_EMAIL in it.
So I have done more tests and here are my findings.
First of all, I added the Notice::policy hook so that every notice gets sent via email (in order not to worry about accepting the right type of notice). Then I tried different ways to launch the `ssh.pcap` with bro.
- `broctl process ssh.pcap -C` => outputs the notice with ACTION_EMAIL but does not send the email (no stderr.log nor email log).
- `bro -r ssh.pcap local "Site::local_nets += { … }" -C` => same output, no emails.
However, if I just start bro via broctl and let it run, I start receiving random notices via emails regarding my laptop’s connections. I haven’t been able to reproduce a SSH brute-force attack but I assume it would work that way.
So I am starting to wonder if the commands `bro` and `broctl process` are actually able to send emails. Any ideas on that ?
Thanks in advance for your help,
Loris
Email sending is automatically disabled if you are reading from a PCAP. It only works when live traffic is being read. I believe this was originally intended to avoid people hammering themselves with email on accident when analyzing a PCAP.
.Seth
Oh thank you so much, it all makes sense now.
Do you know if there is a way for me to enable this feature with PCAP or an alternative? I would like to simulate a scenario using a big PCAP file for a presentation and it would be great if it could generate emails.
If you don't mind modifying scripts, you can find the line here:
https://github.com/bro/bro/blob/master/scripts/base/frameworks/notice/main.bro#L338
If you get rid of that if statement it will work.
.Seth
That’s perfect! Thanks again for your help.
Loris