[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Wed Jun 5 08:45:19 PDT 2019
Hi Justin,
I think I figured it out. I don’t think seeing EMAIL_ACTION in notice.log necessarily sends out email or at least was the case in my scenario. So what I changed was to not directly declare notice variable in the module/main.zeek I created but instead redefine and export it in another script and then notify the variable using the module I created. After that I had to set the ACTION_EMAIL from another script when the defined notice variable is available. I maybe completely wrong here as I also found that this code (found from SSH.main.zeek)
event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
{
if ( atype == Analyzer::ANALYZER_SSH )
{
set_session(c);
}
}
Is needed for the Log to work and perhaps for Notice as well.
Now I am struggling to pass the right information to this event (protocol_confirmation). How does one return a record from a function? I can see examples of string and count etc… but not record.
Kind regards,
Merril.
> On 5 Jun 2019, at 16:03, Justin Azoff <justin at corelight.com> wrote:
>
> On Tue, Jun 4, 2019 at 12:54 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
>
> I can see ACTION_EMAIL on notice.log when running .pcap. But I included the SSHAttempt module with local.zeek file and if I try to call the notice type defined in the module inside test.zeek then it doesn't work when I ssh into the box. Please find attached the files.
>
> If your notice.log shows ACTION_EMAIL then it's working properly. It will not send emails when reading a .pcap file.
>
> --
> Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/20c501a8/attachment.html
More information about the Zeek
mailing list