[Zeek] Creating a module and accessing an event in another script
Merril Mathew
merril.mathew at baby2body.com
Fri Jun 7 01:29:19 PDT 2019
Hi Justin,
You are a life saver. :) That did the trick.
I also have one more question. I been searching online to understand how a function can return a user defined record and have not come across one yet.
function set_session(c: connection, var: string): record
{
local info: SSH::Info;
return info;
}
This doesn’t work. Am I on the right path here?
Kind regards,
Merril.
> On 6 Jun 2019, at 19:54, Justin Azoff <justin at corelight.com> wrote:
>
> probably this https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums <https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums> ?
>
> On Thu, Jun 6, 2019 at 2:45 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
>
> Now it sends the email. But it executes the "if(!rec?$auth_success)" condition and I am getting message "unknown". Which means auth_success is not found on live traffic, so the error remains I think.
>
> Kind regards,
> Merril.
>
> On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com <mailto:justin at corelight.com>> wrote:
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do. Here is a much simplified version.
>
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename. There are no released versions of zeek so I don't know when you built it. Using bro_init is backwards compatible and is probably better for now.
>
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
>
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
>
> Kind regards,
> Merril.
>
>
>
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>>
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>>
>> Thanks. But it did not work for me.
>>
>> Did not work how? Did you post the version of the script that didn't work?
>>
>> --
>> Justin
>
>
>
> --
> Justin
>
>
> --
> Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190607/d1396181/attachment.html
More information about the Zeek
mailing list