[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Thu Jun 6 11:44:50 PDT 2019
Hi Justin,
Now it sends the email. But it executes the "if(!rec?$auth_success)"
condition and I am getting message "unknown". Which means auth_success is
not found on live traffic, so the error remains I think.
Kind regards,
Merril.
On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com> wrote:
> that script should generally work, but it was a lot more complicated than
> it needed to be to accomplish what you are trying to do. Here is a much
> simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to
> setup the log stream this won't work on bro or a small number of zeek
> builds from right after the rename. There are no released versions of zeek
> so I don't know when you built it. Using bro_init is backwards compatible
> and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi Justin,
>>
>> I can confirm that attached scripts does not send me email on live
>> traffic or create a log under $PREFIX/logs/current. But it does create
>> notice.log and a SSHAttempt.log when running pcap. I can also confirm that
>> send mail set up is working as I have received emails from zeek from other
>> scripts.
>>
>> Kind regards,
>> Merril.
>>
>>
>>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <
>> merril.mathew at baby2body.com> wrote:
>>
>>> Hi Justin,
>>>
>>> Thanks. But it did not work for me.
>>>
>>
>> Did not work how? Did you post the version of the script that didn't
>> work?
>>
>> --
>> Justin
>>
>>
>>
>
> --
> Justin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190606/d22f19c7/attachment.html
More information about the Zeek
mailing list