[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Tue Jun 4 09:32:06 PDT 2019
Hi all,
I figured out why it wasn't working. I was trying to print rec. newbie
mistake. :)
But the notice email action does not work though. It generates notice.log
but does not email. Any silly mistakes anyone can see?
Kind regards,
Merril.
On Tue, 4 Jun 2019 at 16:47, Merril Mathew <merril.mathew at baby2body.com>
wrote:
> Hi all,
>
> I am new to Zeek and would like some help with writing a module and
> accessing the events in another script.
>
> I created a module called SSHAttempt under /usr/local/bro/share/bro/site
> and set up the module with __local__.zeek and main.zeek.
>
> I created a custom log stream based on the result derived from
> ssh_auth_result in SSHAttempt/main.zeek. I also exported the SSH::Info
> record as log_sshattempt from main.zeek.
>
> I can see the notice.log when running with sshquess.pcap. However if I try
> to access the event that has been exported from SSHAttempt/main.zeek inside
> another script (test.zeek) then I am getting the error that the record
> values are not initialised. I was expecting auth_fail variable inside
> SSHAttempt::Info record to be initialised when running .pcap.
>
> Please find all the necessary files for reference. Any help would be much
> appreciated. :)
>
> Kind regards,
> Merril
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190604/ca7e2f36/attachment.html
More information about the Zeek
mailing list