<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Justin,<div class=""><br class=""></div><div class="">I think I figured it out. I don’t think seeing EMAIL_ACTION in notice.log necessarily sends out email or at least was the case in my scenario. So what I changed was to not directly declare notice variable in the module/main.zeek I created but instead redefine and export it in another script and then notify the variable using the module I created. After that I had to set the ACTION_EMAIL from another script when the defined notice variable is available. I maybe completely wrong here as I also found that this code (found from SSH.main.zeek)</div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class="">event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20</span></div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> {</span></div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> if ( atype == Analyzer::ANALYZER_SSH )</span></div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> {</span></div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22); min-height: 21px;" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""></span><span class="Apple-tab-span" style="white-space:pre"> </span>set_session(c);</div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> }</span></div><div style="margin: 0px; font-stretch: normal; font-size: 18px; line-height: normal; font-family: Menlo; color: rgb(216, 211, 169); background-color: rgb(31, 23, 22);" class=""><span style="font-variant-ligatures: no-common-ligatures" class=""> }</span></div></div><div class=""><div><br class=""></div><div>Is needed for the Log to work and perhaps for Notice as well.</div><div><br class=""></div><div>Now I am struggling to pass the right information to this event (protocol_confirmation). How does one return a record from a function? I can see examples of string and count etc… but not record.</div><div><br class=""></div><div>Kind regards,</div><div>Merril.</div><div><blockquote type="cite" class=""><div class="">On 5 Jun 2019, at 16:03, Justin Azoff <<a href="mailto:justin@corelight.com" class="">justin@corelight.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div dir="ltr" class="">On Tue, Jun 4, 2019 at 12:54 PM Merril Mathew <<a href="mailto:merril.mathew@baby2body.com" class="">merril.mathew@baby2body.com</a>> wrote:<br class=""></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr" class="">Hi Justin,<div class=""><br class=""></div><div class="">I can see ACTION_EMAIL on notice.log when running .pcap. But I included the SSHAttempt module with local.zeek file and if I try to call the notice type defined in the module inside test.zeek then it doesn't work when I ssh into the box. Please find attached the files.</div></div></blockquote><div class=""><br class=""></div><div class="">If your notice.log shows ACTION_EMAIL then it's working properly. It will not send emails when reading a .pcap file.</div><div class=""><br class=""></div></div>-- <br class=""><div dir="ltr" class="gmail_signature"><div dir="ltr" class="">Justin</div></div></div>
</div></blockquote></div><br class=""></div></body></html>