[Bro] Field value missing
Siwek, Jon
jsiwek at illinois.edu
Mon Mar 30 08:19:45 PDT 2015
> On Mar 29, 2015, at 10:55 PM, Javier Richard Quinto Ancieta <richardqa at gmail.com> wrote:
>
> ...
> hook Notice::policy(n: Notice::Info)
> {
> if
> ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1
> )
> add n$actions[Notice::ACTION_EMAIL];
> }
> ...
>
> And write it in the file ../local.bro
>
> But, when I generate an attack to IP (10.0.0.1), and I got an error: "field value missing [n$id]" .
Sorry, the documentation here is out of date. The SSH::Password_Guessing notice now seems able to track a guesser across multiple servers, so in order to check if they attempted a certain server, you’d have to inspect the value of n$sub to see if it’s mentioned there. E.g.:
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSH::Password_Guessing && /10\.0\.0\.1/ in n$sub )
add n$actions[Notice::ACTION_EMAIL];
}
- Jon
More information about the Bro
mailing list