[Zeek] Creating a module and accessing an event in another script
Jon Siwek
jsiwek at corelight.com
Tue Jun 4 09:37:46 PDT 2019
On Tue, Jun 4, 2019 at 8:56 AM Merril Mathew
<merril.mathew at baby2body.com> wrote:
> I created a module called SSHAttempt under /usr/local/bro/share/bro/site and set up the module with __local__.zeek and main.zeek.
The magic filename for loading directories is "__load__.zeek", not
"__local__.zeek".
> However if I try to access the event that has been exported from SSHAttempt/main.zeek inside another script (test.zeek) then I am getting the error that the record values are not initialised. I was expecting auth_fail variable inside SSHAttempt::Info record to be initialised when running .pcap.
The event handler in test.zeek was creating an uninitialized record
and printing it instead of printing the one given as an argument like:
event log_sshattempt(rec: Info) &priority=5
{
print rec;
}
- Jon
More information about the Zeek
mailing list