[Zeek] Creating a module and accessing an event in another script

Tue Jun 4 08:47:30 PDT 2019

Hi all,

I am new to Zeek and would like some help with writing a module and
accessing the events in another script.

I created a module called SSHAttempt under /usr/local/bro/share/bro/site
and set up the module with __local__.zeek and main.zeek.

I created a custom log stream based on the result derived from
ssh_auth_result in SSHAttempt/main.zeek. I also exported the SSH::Info
record as log_sshattempt from main.zeek.

I can see the notice.log when running with sshquess.pcap. However if I try
to access the event that has been exported from SSHAttempt/main.zeek inside
another script (test.zeek) then I am getting the error that the record
values are not initialised. I was expecting auth_fail variable inside
SSHAttempt::Info record to be initialised when running .pcap.

Please find all the necessary files for reference. Any help would be much
appreciated. :)

Kind regards,
Merril
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: __local__.zeek
Type: application/octet-stream
Size: 12 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: main.zeek
Type: application/octet-stream
Size: 1994 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.zeek
Type: application/octet-stream
Size: 205 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/9ed4999b/attachment-0002.obj 