[Bro] Field value missing
dopheide at gmail.com
Mon Mar 30 08:49:52 PDT 2015
To add to what Jon said...
In this case you're hitting a situation where not all Notices are created
I believe, for SSH::Password_Guessing, the connection 'id' itself isn't
populated, so the n$id isn't there to reference n$id$resp_h from. It will
have an n$src if you wanted the originator, but for recipient you need to
look at the notice subject (see Jon's message). The recipients listed
there are a sampled set.
On Sun, Mar 29, 2015 at 10:55 PM, Javier Richard Quinto Ancieta <
richardqa at gmail.com> wrote:
> Greetings all,
> I am new to Bro, and I hope you can help me.
> I read the following documentation:
> Exactly, this part of the code:
> hook Notice::policy(n: Notice::Info)
> ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1
> add n$actions[Notice::ACTION_EMAIL];
> And write it in the file ../local.bro
> But, when I generate an attack to IP (10.0.0.1), and I got an error: "*field
> value missing [n$id]*" .
> I use *bro -i eth0 local *to debug logs in live
> I did many changes, also I use "$id?$resp_h" to check errors, and i got
> the same error. I am sorry but I am new with Bro and I would like to know
> How can I fix that?.
> Thank you
> Saludos Cordiales
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro