[Bro] Help with bro scripting exercise question
Seth Hall
seth at corelight.com
Wed Aug 2 18:54:50 PDT 2017
Sorry that code is out of date! Quite a few years have passed since
that workshop. Are you just trying to go through the workshop code or
are you actually trying to achieve a particular behavior? If you're
trying to achieve a behavior, I can help you out with the more modern
way to do that if you'd like. If you are just trying to go through
the workshop code then I'd say to just skip that one. :)
Have you look at the exercises on http://try.bro.org/?
.Seth
On Wed, Aug 2, 2017 at 9:19 PM, craig bowser <reswob10 at gmail.com> wrote:
>
> Hello all, trying to learn bro scripting. I am working through the
> exercises from the 2011 workshop and I'm getting an error.
>
> I'm on this page:
> https://www.bro.org/bro-workshop-2011/exercises/notices/index.html
>
> I'm on Pt3 More Advanced Policy Notice running this script:
>
> const watched_servers: set[addr] = {
> 172.16.238.136,
> 172.16.238.168,
> } &redef;
>
> redef Notice::policy += {
> [$action = Notice::ACTION_ALARM,
> $pred(n: Notice::Info) =
> {
> return n$note == SSH::Login && n$id$resp_h in watched_servers;
> }
> ]
> };
>
>
> And I'm getting an error that says
>
> #bro -r ssh.pcap local advancebro.bro
> error in ./advancebro.bro, line 10: unknown identifier SSH::Login, at or
> near "SSH::Login"
>
>
> Is the SSH::Login no longer a valid function?
>
> Thanks.
>
>
> Craig L Bowser
> ____________________________
>
> This email is measured by size. Bits and bytes may have settled during
> transport.
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
Seth Hall * Corelight, Inc * seth at corelight.com * www.corelight.com
More information about the Bro
mailing list