[Zeek] Creating a module and accessing an event in another script

Justin Azoff justin at corelight.com
Wed Jun 5 08:55:03 PDT 2019 

On Wed, Jun 5, 2019 at 11:45 AM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi Justin,
>
> I think I figured it out. I don’t think seeing EMAIL_ACTION in notice.log
> necessarily sends out email or at least was the case in my scenario.
>

If notice.log contains ACTION_EMAIL under actions then it would have sent
the email when reading live traffic.  If you were not getting the email
then you had smtp issues, not zeek issues...


> So what I changed was to not directly declare notice variable in the
> module/main.zeek I created but instead redefine and export it in another
> script  and then notify the variable using the module I created. After that
> I had to set the ACTION_EMAIL from another script when the defined notice
> variable is available.
>

You did not need to make any of those changes, the previously shared files
were all perfect.


> I maybe completely wrong here as I also found that this code (found from
> SSH.main.zeek)
> event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid:
> count) &priority=20
>                                 {
>                                 if ( atype == Analyzer::ANALYZER_SSH )
>                                         {
> set_session(c);
>                                         }
>                                 }
>
> Is needed for the Log to work and perhaps for Notice as well.
>

It is not needed.  That is code specific to the existing ssh policy to
start tracking the ssh session as soon as it is detected.  This is not
relevant to what you are doing since you only care about authentication
attempts.


> Now I am struggling to pass the right information to this event
> (protocol_confirmation).
>

You don't pass information to that event.  You should not need to do
anything with that event.


> How does one return a record from a function? I can see examples of string
> and count etc… but not record.
>

You return a record exactly the same way you return a string or a count,
there is no difference.

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/0a1d16ef/attachment-0001.html

More information about the Zeek mailing list