[Zeek] Creating a module and accessing an event in another script

Justin Azoff justin at corelight.com
Thu Jun 6 10:12:03 PDT 2019


The first line should be

    if(!rec?$auth_success) {

not

    if(!rec$auth_success)

On Thu, Jun 6, 2019 at 1:02 PM Merril Mathew <merril.mathew at baby2body.com>
wrote:

> Please find attached. It complains on the first if statement that
> auth_success is missing. At line 14 for !rec$auth_success.
>
>
> Merril.
>
> On 6 Jun 2019, at 17:56, Justin Azoff <justin at corelight.com> wrote:
>
> What does your current script look like?
>
> On Thu, Jun 6, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> Thanks again. I made the changes you sent and I am getting this error on
>> reporter.log. “ 1559839456.472514       Reporter::ERROR field value
>> missing [SSH::rec$auth_success]     /usr/local/bro/share/bro/site/alert_ssh_attempt.bro,
>> line 22”
>>
>> But it definitely returns auth_success=F when running on .pcap. I assume
>> auth_success will be T when I ssh into the box?
>>
>> Kind regards,
>> Merril.
>>
>> On 6 Jun 2019, at 17:22, Justin Azoff <justin at corelight.com> wrote:
>>
>> email_ssh_attempt.bro is not required at all because you already
>> added Login_Attempted to Notice::emailed_types in the other script.
>>
>> Your other script is slightly broken because in the case of unknown
>> result the field is not present, so your script needs to look like this.
>>
>> event log_ssh(rec: Info) &priority=5
>> {
>>     if(!rec?$auth_success) {
>>         NOTICE([$note=SSH::Login_Attempted, $msg=fmt("Unknown")]);
>>     }
>>     else if(rec$auth_success == F) {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and
>> failed", rec$client, rec$auth_attempts)]);
>>     } else {
>>         NOTICE([$note=SSH::Login_Attempted,
>>            $msg=fmt("SSH login attempted from %s, %s many times and
>> succeeded", rec$client, rec$auth_attempts)]);
>>     }
>> }
>>
>> if you look at your reporter.log you should see it filled with errors
>> like this:
>>
>> Reporter::ERROR field value missing [SSH::rec$auth_success]
>> alert_ssh_attempt_new.bro, line 14
>>
>>
>>
>>
>> On Thu, Jun 6, 2019 at 12:10 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi All,
>>>
>>> I cannot figure out why the Notice doesn’t behave as expected on live
>>> traffic. I am now trying to make it work with SSH (log_ssh) event as
>>> previous attempt on ssh_auth_result lead me nowhere. If I raise the NOTICE
>>> function  just after the log_ssh event from a script it sends me email on
>>> live traffic. However if I use the NOTICE function inside IF, ELSE IF, ELSE
>>> conditionals for auth_success boolean then it does not send me emails.
>>> Anyone see what I am doing wrong? I couldn’t figure it out from Notice
>>> documentation.
>>>
>>> Please find attached the scripts for reference.
>>>
>>> Kind regards,
>>> Merril.
>>>
>>> On 5 Jun 2019, at 18:39, Justin Azoff <justin at corelight.com> wrote:
>>>
>>> that script should generally work, but it was a lot more complicated
>>> than it needed to be to accomplish what you are trying to do.  Here is a
>>> much simplified version.
>>>
>>> The only thing to keep in mind is that since you are using zeek_init to
>>> setup the log stream this won't work on bro or a small number of zeek
>>> builds from right after the rename.  There are no released versions of zeek
>>> so I don't know when you built it.  Using bro_init is backwards compatible
>>> and is probably better for now.
>>>
>>> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <
>>> merril.mathew at baby2body.com> wrote:
>>>
>>>> Hi Justin,
>>>>
>>>> I can confirm that attached scripts does not send me email on live
>>>> traffic or create a log under $PREFIX/logs/current. But it does create
>>>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>>>> send mail set up is working as I have received emails from zeek from other
>>>> scripts.
>>>>
>>>> Kind regards,
>>>> Merril.
>>>>
>>>>
>>>>
>>>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>>>
>>>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>>>> merril.mathew at baby2body.com> wrote:
>>>>
>>>>> Hi Justin,
>>>>>
>>>>> Thanks. But it did not work for me.
>>>>>
>>>>
>>>> Did not work how?  Did you post the version of the script that didn't
>>>> work?
>>>>
>>>> --
>>>> Justin
>>>>
>>>>
>>>>
>>>
>>> --
>>> Justin
>>> <main.zeek>
>>>
>>>
>>>
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
>
>
>

-- 
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/499a3e7d/attachment.html 


More information about the Zeek mailing list