[Zeek] Creating a module and accessing an event in another script

Merril Mathew merril.mathew at baby2body.com
Wed Jun 5 09:11:12 PDT 2019 

Hi Justin,

Thanks. But it did not work for me. Yes everything works fine if I use log_ssh event exported from the SSH module. I can check if its authenticated from the SSH::Info. However what I tried to do was to use ssh_auth_result which is exported globally. Not sure the live traffic on SSH would trigger ssh_auth_result. Thats why I tried to include the SSH analyser and protocol_conformation event with my module. Once I put that in then it generates an email and log. Maybe I am just looking at it completely the wrong way.

With regards to function return this gives me an error:

function set_session(c: connection, auth_fail: string &optional, auth_success: string &optional): record
        {
                if( ! c?$sshattempt )
                {
                local info: SSHAttempt::Info;
                info$ts = network_time();
                info$auth_fail = auth_fail;
                info$auth_success = auth_success;
                c$sshattempt = info;
                return info;
                }
        }

Kind regards,
Merril.
> On 5 Jun 2019, at 16:55, Justin Azoff <justin at corelight.com> wrote:
> 
> On Wed, Jun 5, 2019 at 11:45 AM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I think I figured it out. I don’t think seeing EMAIL_ACTION in notice.log necessarily sends out email or at least was the case in my scenario.
> 
> If notice.log contains ACTION_EMAIL under actions then it would have sent the email when reading live traffic.  If you were not getting the email then you had smtp issues, not zeek issues...
>  
> So what I changed was to not directly declare notice variable in the module/main.zeek I created but instead redefine and export it in another script  and then notify the variable using the module I created. After that I had to set the ACTION_EMAIL from another script when the defined notice variable is available.
> 
> You did not need to make any of those changes, the previously shared files were all perfect.
>  
> I maybe completely wrong here as I also found that this code (found from SSH.main.zeek)
> event protocol_confirmation(c: connection, atype: Analyzer::Tag, aid: count) &priority=20
>                                 {
>                                 if ( atype == Analyzer::ANALYZER_SSH )
>                                         {
> 						set_session(c);
>                                         }
>                                 }
> 
> Is needed for the Log to work and perhaps for Notice as well.
> 
> It is not needed.  That is code specific to the existing ssh policy to start tracking the ssh session as soon as it is detected.  This is not relevant to what you are doing since you only care about authentication attempts.
>  
> Now I am struggling to pass the right information to this event (protocol_confirmation).
> 
> You don't pass information to that event.  You should not need to do anything with that event.
>  
> How does one return a record from a function? I can see examples of string and count etc… but not record.
> 
> You return a record exactly the same way you return a string or a count, there is no difference.
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190605/cb9e3d12/attachment.html

More information about the Zeek mailing list