[Zeek] Creating a module and accessing an event in another script

Justin Azoff justin at corelight.com
Thu Jun 6 09:22:34 PDT 2019


email_ssh_attempt.bro is not required at all because you already
added Login_Attempted to Notice::emailed_types in the other script.

Your other script is slightly broken because in the case of unknown result
the field is not present, so your script needs to look like this.

event log_ssh(rec: Info) &priority=5
{
    if(!rec?$auth_success) {
        NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
    }
    else if(rec$auth_success == F) {
        NOTICE([$note=SSH::Login_Attempted,
           $msg=fmt("SSH login attempted from %s, %s many times and
failed", rec$client, rec$auth_attempts)]);
    } else {
        NOTICE([$note=SSH::Login_Attempted,
           $msg=fmt("SSH login attempted from %s, %s many times and
succeeded", rec$client, rec$auth_attempts)]);
    }
}

if you look at your reporter.log you should see it filled with errors like
this:

Reporter::ERROR field value missing [SSH::rec$auth_success]
alert_ssh_attempt_new.bro, line 14




On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Hi All,
>
> I cannot figure out why the Notice doesn’t behave as expected on live
> traffic. I am now trying to make it work with SSH (log_ssh) event as
> previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE
> function  just after the log_ssh event from a script it sends me email on
> live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE
> conditionals for auth_success boolean then it does not send me emails.
> Anyone see what I am doing wrong? I couldn’t figure it out from Notice
> documentation.
>
> Please find attached the scripts for reference.
>
> Kind regards,
> Merril.
>
> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>
> that script should generally work, but it was a lot more complicated than
> it needed to be to accomplish what you are trying to do.  Here is a much
> simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to
> setup the log stream this won't work on bro or a small number of zeek
> builds from right after the rename.  There are no released versions of zeek
> so I don't know when you built it.  Using bro_init is backwards compatible
> and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> I can confirm that attached scripts does not send me email on live
>> traffic or create a log under $PREFIX/logs/current. But it does create
>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>> send mail set up is working as I have received emails from zeek from other
>> scripts.
>>
>> Kind regards,
>> Merril.
>>
>>
>>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> Thanks. But it did not work for me.
>>>
>>
>> Did not work how?  Did you post the version of the script that didn't
>> work?
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
> <main.zeek>
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/38b1e98d/attachment-0001.html 


More information about the Zeek mailing list