First of all, I am really grateful for Bro and its easy scripting. I have been using Bro
in the context of my master thesis and had lots of fun using it.
I am contacting you today as I have encountered a problem that none of my google
researching skills could solve. Let me try and describe it clearly.
What I am trying to acheive:
I am using the pcap file available at https://www.bro.org/static/traces/ssh.pcap
simulate a SSH::Password_Guessing notice using the command `broctl process`. My goal is
simply to make Bro send me an email when such a notice is raised.
What is going wrong:
Even though the notice is raised, I do not receive any emails.
Hypothesis to eliminate:
- First of all, my broctl.cfg file is configured correctly and, if I raise a random notice
in the `bro_init()` event, I successfully receive the email.
- I am also sure that the notice is being raise properly as a `notice.log` file gets
generated with the relevant notice containing the `Notice::ACTION_EMAIL` action. I even
hard-coded a print inside the module that raise the notice to make sure that this part of
the code was run.
What I have tried:
- redefining Notice::emailed_types
- redefining Notice::alarmed_types
- adding a Notice::policy hook containing `add n$actions[Notice::ACTION_EMAIL];`
I hope that my problem description helps. I am really struggling to understand this
behaviour and cannot find similar problems online.
Please do not hesitate to contact me should you need additional information.
Thank you in advance for your support,