So I have done more tests and here are my findings.

First of all, I added the Notice::policy hook so that every notice gets sent via email (in order not to worry about accepting the right type of notice). Then I tried different ways to launch the `ssh.pcap` with bro.

- `broctl process ssh.pcap -C` => outputs the notice with ACTION_EMAIL but does not send the email (no stderr.log nor email log).
- `bro -r ssh.pcap local "Site::local_nets += { … }" -C` => same output, no emails.

However, if I just start bro via broctl and let it run, I start receiving random notices via emails regarding my laptop’s connections. I haven’t been able to reproduce a SSH brute-force attack but I assume it would work that way.

So I am starting to wonder if the commands `bro` and `broctl process` are actually able to send emails. Any ideas on that ?

Thanks in advance for your help,

On 28 Feb 2017, 17:27 +0100, Loris Leiva <>, wrote:
Yes sorry I meant no errors get logs but weirdly I still get my notice.log entry with Notice::ACTION_EMAIL in it.

On 28 Feb 2017, 17:24 +0100, Azoff, Justin S <>, wrote:

On Feb 28, 2017, at 11:17 AM, Loris Leiva <> wrote:

Thank you for your answer.

I have checked the logs during my scenario and when the email doesn’t send nothing get logs at all (not even on the bro stderr log). However, when I raise a dummy notice in a bro_init() event, then I receive the email and the email gets logged properly.

Nothing gets logged at all? not even to notice.log?

Note that I am using macOS Sierra so I access my logs through the following command `log stream --predicate '(process == "smtpd") || (process == "smtp")' -info`.

Any idea of what could be the problem ?

Thanks again,

- Justin Azoff