CU198 Testing - first feedback on Suricata alert email sending

CU198 Testing - first feedback on Suricata alert email sending

[Adolf Belka]

Hi All,

I just ran the update for CU198 Testing on my vm systems.

The update itself went fine without any error messages or hiccups.

I then went to test the IPS emailing of alerts.

I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.

I set the alert severity to All, Including Informational Alerts.

I then followed the suricata testing process as defined in
https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
and I ended up with alerts in the IPS-Logs but no email message received.

I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.

I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.

I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.

Regards,

Adolf.

Re: CU198 Testing - first feedback on Suricata alert email sending

[Adolf Belka]

Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message.

I use a mail server I have running on my local network.

Regards,

Adolf.


On 29/09/2025 14:52, Adolf Belka wrote:
> Hi All,
> 
> I just ran the update for CU198 Testing on my vm systems.
> 
> The update itself went fine without any error messages or hiccups.
> 
> I then went to test the IPS emailing of alerts.
> 
> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.
> 
> I set the alert severity to All, Including Informational Alerts.
> 
> I then followed the suricata testing process as defined in
> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
> and I ended up with alerts in the IPS-Logs but no email message received.
> 
> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.
> 
> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.
> 
> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.
> 
> Regards,
> 
> Adolf.
> 

Re: CU198 Testing - first feedback on Suricata alert email sending

[Michael Tremer]

Hello,

Thanks for testing this. So let’s go through this step by step…

First of all, is the companion daemon running? It is a process called suricata-reporter.

If so, can you check if the configuration file has emails enabled? It is in /var/ipfire/suricata/reporter.conf.

And finally, can you run “mailq” to see if the emails have been sent and maybe have bounced?

-Michael

> On 29 Sep 2025, at 13:58, Adolf Belka <adolf.belka@ipfire.org> wrote:
> 
> Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message.
> 
> I use a mail server I have running on my local network.
> 
> Regards,
> 
> Adolf.
> 
> 
> On 29/09/2025 14:52, Adolf Belka wrote:
>> Hi All,
>> I just ran the update for CU198 Testing on my vm systems.
>> The update itself went fine without any error messages or hiccups.
>> I then went to test the IPS emailing of alerts.
>> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.
>> I set the alert severity to All, Including Informational Alerts.
>> I then followed the suricata testing process as defined in
>> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
>> and I ended up with alerts in the IPS-Logs but no email message received.
>> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.
>> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.
>> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.
>> Regards,
>> Adolf.
> 
> 

Re: CU198 Testing - first feedback on Suricata alert email sending

[Adolf Belka]

Hi Michael,


On 29/09/2025 17:44, Michael Tremer wrote:
> Hello,
> 
> Thanks for testing this. So let’s go through this step by step…
> 
> First of all, is the companion daemon running? It is a process called suricata-reporter.

I couldn't find it. Running ps aux | grep suricata showed suricata-watcher and suricata but no suricata-reporter.

> 
> If so, can you check if the configuration file has emails enabled? It is in /var/ipfire/suricata/reporter.conf.

Yes there is enabled = true in the [email] section.

> 
> And finally, can you run “mailq” to see if the emails have been sent and maybe have bounced?

Ran that command and got a load of stuff but I don't understand it all all.

Here are just a few that were shown as examples

ID	: 1a0794.335a3b40
From	:
To	: root
--
ID	: 1a078b.335a3b40
From	:
To	: root
--
ID	: 1a078a.335a3b40
From	:
To	: root
--
ID	: 1a0789.335a3b40
From	:
To	: root
--
ID	: 1a0788.335a3b40
From	:
To	: root
--

I am also seeing the following in the dma logs

17:15:00 dma[1a0792.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a0792.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a078c.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a078c.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a078a.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a078a.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a078e.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a078e.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a078a.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
17:15:00 dma[1a0788.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a0788.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a0790.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
17:15:00 dma[1a0790.335a3b40]:  error creating mbox `root'
17:15:00 dma[1a0792.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
17:15:00 dma[1a078c.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
17:15:00 dma[1a0792.335a3b40]:  <root> trying delivery
17:15:00 dma[1a078c.335a3b40]:  <root> trying delivery

Regards,

Adolf.

> 
> -Michael
> 
>> On 29 Sep 2025, at 13:58, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>
>> Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message.
>>
>> I use a mail server I have running on my local network.
>>
>> Regards,
>>
>> Adolf.
>>
>>
>> On 29/09/2025 14:52, Adolf Belka wrote:
>>> Hi All,
>>> I just ran the update for CU198 Testing on my vm systems.
>>> The update itself went fine without any error messages or hiccups.
>>> I then went to test the IPS emailing of alerts.
>>> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.
>>> I set the alert severity to All, Including Informational Alerts.
>>> I then followed the suricata testing process as defined in
>>> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
>>> and I ended up with alerts in the IPS-Logs but no email message received.
>>> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.
>>> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.
>>> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.
>>> Regards,
>>> Adolf.
>>
>>
> 

Re: CU198 Testing - first feedback on Suricata alert email sending

[Adolf Belka]

Without any new alerts being triggered by the IPS the dma logs showed more of those messages about error creating mbox root.

I then triggered some more alerts in IPS and no new dma messages were seen.

I also checked the mailq output before and after triggering the alerts and there were no additional entries compared to previously.

Regards,

Adolf.


On 29/09/2025 18:10, Adolf Belka wrote:
> Hi Michael,
> 
> 
> On 29/09/2025 17:44, Michael Tremer wrote:
>> Hello,
>>
>> Thanks for testing this. So let’s go through this step by step…
>>
>> First of all, is the companion daemon running? It is a process called suricata-reporter.
> 
> I couldn't find it. Running ps aux | grep suricata showed suricata-watcher and suricata but no suricata-reporter.
> 
>>
>> If so, can you check if the configuration file has emails enabled? It is in /var/ipfire/suricata/reporter.conf.
> 
> Yes there is enabled = true in the [email] section.
> 
>>
>> And finally, can you run “mailq” to see if the emails have been sent and maybe have bounced?
> 
> Ran that command and got a load of stuff but I don't understand it all all.
> 
> Here are just a few that were shown as examples
> 
> ID    : 1a0794.335a3b40
> From    :
> To    : root
> -- 
> ID    : 1a078b.335a3b40
> From    :
> To    : root
> -- 
> ID    : 1a078a.335a3b40
> From    :
> To    : root
> -- 
> ID    : 1a0789.335a3b40
> From    :
> To    : root
> -- 
> ID    : 1a0788.335a3b40
> From    :
> To    : root
> -- 
> 
> I am also seeing the following in the dma logs
> 
> 17:15:00 dma[1a0792.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a0792.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a078c.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a078c.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a078a.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a078a.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a078e.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a078e.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a078a.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
> 17:15:00 dma[1a0788.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a0788.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a0790.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
> 17:15:00 dma[1a0790.335a3b40]:  error creating mbox `root'
> 17:15:00 dma[1a0792.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
> 17:15:00 dma[1a078c.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
> 17:15:00 dma[1a0792.335a3b40]:  <root> trying delivery
> 17:15:00 dma[1a078c.335a3b40]:  <root> trying delivery
> 
> Regards,
> 
> Adolf.
> 
>>
>> -Michael
>>
>>> On 29 Sep 2025, at 13:58, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>
>>> Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message.
>>>
>>> I use a mail server I have running on my local network.
>>>
>>> Regards,
>>>
>>> Adolf.
>>>
>>>
>>> On 29/09/2025 14:52, Adolf Belka wrote:
>>>> Hi All,
>>>> I just ran the update for CU198 Testing on my vm systems.
>>>> The update itself went fine without any error messages or hiccups.
>>>> I then went to test the IPS emailing of alerts.
>>>> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.
>>>> I set the alert severity to All, Including Informational Alerts.
>>>> I then followed the suricata testing process as defined in
>>>> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
>>>> and I ended up with alerts in the IPS-Logs but no email message received.
>>>> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.
>>>> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.
>>>> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.
>>>> Regards,
>>>> Adolf.
>>>
>>>
>>
> 

Re: CU198 Testing - first feedback on Suricata alert email sending

[Adolf Belka]

Further info on the mailq stuff.

I went to /var/spool/dma/ and read the contents of some of the files there. Basically they are related to a problem with arpwatch and nothing to do with suricata-reporter.

I will need to separately try and figure out what is happening to cause those. There are 13 entries in the dma directory, all with the same date/time and I checked three different entries and they were all related to arpwatch.

Regards,

Adolf.

On 29/09/2025 18:37, Adolf Belka wrote:
> Without any new alerts being triggered by the IPS the dma logs showed more of those messages about error creating mbox root.
> 
> I then triggered some more alerts in IPS and no new dma messages were seen.
> 
> I also checked the mailq output before and after triggering the alerts and there were no additional entries compared to previously.
> 
> Regards,
> 
> Adolf.
> 
> 
> On 29/09/2025 18:10, Adolf Belka wrote:
>> Hi Michael,
>>
>>
>> On 29/09/2025 17:44, Michael Tremer wrote:
>>> Hello,
>>>
>>> Thanks for testing this. So let’s go through this step by step…
>>>
>>> First of all, is the companion daemon running? It is a process called suricata-reporter.
>>
>> I couldn't find it. Running ps aux | grep suricata showed suricata-watcher and suricata but no suricata-reporter.
>>
>>>
>>> If so, can you check if the configuration file has emails enabled? It is in /var/ipfire/suricata/reporter.conf.
>>
>> Yes there is enabled = true in the [email] section.
>>
>>>
>>> And finally, can you run “mailq” to see if the emails have been sent and maybe have bounced?
>>
>> Ran that command and got a load of stuff but I don't understand it all all.
>>
>> Here are just a few that were shown as examples
>>
>> ID    : 1a0794.335a3b40
>> From    :
>> To    : root
>> -- 
>> ID    : 1a078b.335a3b40
>> From    :
>> To    : root
>> -- 
>> ID    : 1a078a.335a3b40
>> From    :
>> To    : root
>> -- 
>> ID    : 1a0789.335a3b40
>> From    :
>> To    : root
>> -- 
>> ID    : 1a0788.335a3b40
>> From    :
>> To    : root
>> -- 
>>
>> I am also seeing the following in the dma logs
>>
>> 17:15:00 dma[1a0792.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a0792.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a078c.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a078c.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a078a.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a078a.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a078e.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a078e.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a078a.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
>> 17:15:00 dma[1a0788.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a0788.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a0790.335a3b40]:  local delivery deferred: can not create `/var/mail/root'
>> 17:15:00 dma[1a0790.335a3b40]:  error creating mbox `root'
>> 17:15:00 dma[1a0792.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
>> 17:15:00 dma[1a078c.335a3b40]:  cannot execute /usr/lib/dma-mbox-create: No such file or directory
>> 17:15:00 dma[1a0792.335a3b40]:  <root> trying delivery
>> 17:15:00 dma[1a078c.335a3b40]:  <root> trying delivery
>>
>> Regards,
>>
>> Adolf.
>>
>>>
>>> -Michael
>>>
>>>> On 29 Sep 2025, at 13:58, Adolf Belka <adolf.belka@ipfire.org> wrote:
>>>>
>>>> Forgot to mention, I pressed the test button on the Mail Service WUI page and immediately received the test mail message.
>>>>
>>>> I use a mail server I have running on my local network.
>>>>
>>>> Regards,
>>>>
>>>> Adolf.
>>>>
>>>>
>>>> On 29/09/2025 14:52, Adolf Belka wrote:
>>>>> Hi All,
>>>>> I just ran the update for CU198 Testing on my vm systems.
>>>>> The update itself went fine without any error messages or hiccups.
>>>>> I then went to test the IPS emailing of alerts.
>>>>> I used the same sender and recipient email addresses as I have specified on the Mail Service WUI page.
>>>>> I set the alert severity to All, Including Informational Alerts.
>>>>> I then followed the suricata testing process as defined in
>>>>> https://docs.suricata.io/en/suricata-8.0.1/quickstart.html#alerting
>>>>> and I ended up with alerts in the IPS-Logs but no email message received.
>>>>> I checked the System logs for the mail system and there was no message trying to be sent. I ran the test 7 times, so ended up with 7 messages in the IPS-Logs.
>>>>> I then checked the IPS system Logs and there was no mention of detecting the alerts and trying to send an email.
>>>>> I ran the command tail -f /var/log/messages so I could see any additional log entries when I triggered the IPS alerts but again nothing was shown when I triggered the alerts, although the messages did end up in the IPS Logs section.
>>>>> Regards,
>>>>> Adolf.
>>>>
>>>>
>>>
>>
>