[Bro] Field value missing
Mike Dopheide
dopheide at gmail.com
Mon Mar 30 08:49:52 PDT 2015
Javier,
To add to what Jon said...
In this case you're hitting a situation where not all Notices are created
equal.
I believe, for SSH::Password_Guessing, the connection 'id' itself isn't
populated, so the n$id isn't there to reference n$id$resp_h from. It will
have an n$src if you wanted the originator, but for recipient you need to
look at the notice subject (see Jon's message). The recipients listed
there are a sampled set.
-Dop
On Sun, Mar 29, 2015 at 10:55 PM, Javier Richard Quinto Ancieta <
richardqa at gmail.com> wrote:
> Greetings all,
>
> I am new to Bro, and I hope you can help me.
>
> I read the following documentation:
> https://www.bro.org/sphinx-git/frameworks/notice.html
>
> Exactly, this part of the code:
>
> ...
> hook Notice::policy(n: Notice::Info)
> {
> if
> ( n$note == SSH::Password_Guessing && n$id$resp_h == 10.0.0.1
> )
> add n$actions[Notice::ACTION_EMAIL];
> }
> ...
>
> And write it in the file ../local.bro
>
> But, when I generate an attack to IP (10.0.0.1), and I got an error: "*field
> value missing [n$id]*" .
>
> I use *bro -i eth0 local *to debug logs in live
>
> I did many changes, also I use "$id?$resp_h" to check errors, and i got
> the same error. I am sorry but I am new with Bro and I would like to know
> How can I fix that?.
>
> Thank you
> Javier
>
> --
> Saludos Cordiales
> Javier
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150330/fd526440/attachment.html
More information about the Bro
mailing list