[Bro] Question on quick start documentation SSH:Login example.
Siwek, Jon
jsiwek at illinois.edu
Tue Aug 5 07:59:22 PDT 2014
On Aug 5, 2014, at 8:28 AM, nithen <nithen at gmail.com> wrote:
> I am following the Quick Start documentation found here:
> http://www.bro.org/sphinx/quickstart/index.html
>
> I can't get the deployment customization example on "SSH:Login" to work.
That documentation is not correct anymore, sorry about that. Will see about getting it fixed, but I put an example at [1] that should work to accomplish the same thing. The “SSH:: heuristic_successful_login” event is somewhat delayed, so just be aware of that if you’re looking for immediate feedback to check whether it’s working. And another gotcha is that the event only triggers after a certain amount of data is transmitted so just logging in/out real quick may not be detected. (I’m realizing this example is no longer that straightforward and probably doesn’t belong in the quick-start guide anymore).
- Jon
[1] https://gist.github.com/jsiwek/2a7692aa9f24e197ca9c
More information about the Bro
mailing list