[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Thu Jun 6 09:46:51 PDT 2019
Hi Justin,
Thanks again. I made the changes you sent and I am getting this error on reporter.log. “ 1559839456.472514 Reporter::ERROR field value missing [SSH::rec$auth_success] /usr/local/bro/share/bro/site/alert_ssh_attempt.bro, line 22”
But it definitely returns auth_success=F when running on .pcap. I assume auth_success will be T when I ssh into the box?
Kind regards,
Merril.
> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com> wrote:
>
> email_ssh_attempt.bro is not required at all because you already added Login_Attempted to Notice::emailed_types in the other script.
>
> Your other script is slightly broken because in the case of unknown result the field is not present, so your script needs to look like this.
>
> event log_ssh(rec: Info) &priority=5
> {
> if(!rec?$auth_success) {
> NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
> }
> else if(rec$auth_success == F) {
> NOTICE([$note=SSH::Login_Attempted,
> $msg=fmt("SSH login attempted from %s, %s many times and failed", rec$client, rec$auth_attempts)]);
> } else {
> NOTICE([$note=SSH::Login_Attempted,
> $msg=fmt("SSH login attempted from %s, %s many times and succeeded", rec$client, rec$auth_attempts)]);
> }
> }
>
> if you look at your reporter.log you should see it filled with errors like this:
>
> Reporter::ERROR field value missing [SSH::rec$auth_success] alert_ssh_attempt_new.bro, line 14
>
>
>
>
> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi All,
>
> I cannot figure out why the Notice doesn’t behave as expected on live traffic. I am now trying to make it work with SSH (log_ssh) event as previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE function just after the log_ssh event from a script it sends me email on live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE conditionals for auth_success boolean then it does not send me emails. Anyone see what I am doing wrong? I couldn’t figure it out from Notice documentation.
>
> Please find attached the scripts for reference.
>
> Kind regards,
> Merril.
>
>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>
>> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do. Here is a much simplified version.
>>
>> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename. There are no released versions of zeek so I don't know when you built it. Using bro_init is backwards compatible and is probably better for now.
>>
>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>>
>> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
>>
>> Kind regards,
>> Merril.
>>
>>
>>
>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>>
>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>>> Hi Justin,
>>>
>>> Thanks. But it did not work for me.
>>>
>>> Did not work how? Did you post the version of the script that didn't work?
>>>
>>> --
>>> Justin
>>
>>
>>
>> --
>> Justin
>> <main.zeek>
>
>
>
> --
> Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/a7a1013b/attachment-0001.html
More information about the Zeek
mailing list