[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Thu Jun 6 09:10:38 PDT 2019
Hi All,
I cannot figure out why the Notice doesn’t behave as expected on live traffic. I am now trying to make it work with SSH (log_ssh) event as previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE function just after the log_ssh event from a script it sends me email on live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE conditionals for auth_success boolean then it does not send me emails. Anyone see what I am doing wrong? I couldn’t figure it out from Notice documentation.
Please find attached the scripts for reference.
Kind regards,
Merril.
> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do. Here is a much simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename. There are no released versions of zeek so I don't know when you built it. Using bro_init is backwards compatible and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
>
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
>
> Kind regards,
> Merril.
>
>
>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>>
>> Thanks. But it did not work for me.
>>
>> Did not work how? Did you post the version of the script that didn't work?
>>
>> --
>> Justin
>
>
>
> --
> Justin
> <main.zeek>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: alert_ssh_attempt_new.bro
Type: application/octet-stream
Size: 957 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment.obj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: email_ssh_attempt.bro
Type: application/octet-stream
Size: 239 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0001.obj
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/9514e001/attachment-0002.html
More information about the Zeek
mailing list