[Zeek] Creating a module and accessing an event in another script

Merril Mathew merril.mathew at baby2body.com
Fri Jun 7 01:29:19 PDT 2019 

Hi Justin,

You are a life saver. :) That did the trick. 

I also have one more question. I been searching online to understand how a function	can return a user defined record and have not come across one yet.

function set_session(c:  connection, var: string):  record
	{
		local info: SSH::Info;
		return info;
	} 
This doesn’t work. Am I on the right path here?

Kind regards,
Merril.


> On 6 Jun 2019, at 19:54, Justin Azoff <justin at corelight.com> wrote:
> 
> probably this https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums <https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums> ?
> 
> On Thu, Jun 6, 2019 at 2:45 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> Now it sends the email. But it executes the "if(!rec?$auth_success)" condition and I am getting message "unknown". Which means auth_success is not found on live traffic, so the error remains I think.
> 
> Kind regards,
> Merril.
> 
> On Wed, 5 Jun 2019, 18:39 Justin Azoff, <justin at corelight.com <mailto:justin at corelight.com>> wrote:
> that script should generally work, but it was a lot more complicated than it needed to be to accomplish what you are trying to do.  Here is a much simplified version.
> 
> The only thing to keep in mind is that since you are using zeek_init to setup the log stream this won't work on bro or a small number of zeek builds from right after the rename.  There are no released versions of zeek so I don't know when you built it.  Using bro_init is backwards compatible and is probably better for now.
> 
> On Wed, Jun 5, 2019 at 12:46 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
> Hi Justin,
> 
> I can confirm that attached scripts does not send me email on live traffic or create a log under $PREFIX/logs/current. But it does create notice.log and a SSHAttempt.log when running pcap. I can also confirm that send mail set up is working as I have received emails from zeek from other scripts.
> 
> Kind regards,
> Merril.
> 
> 
> 
>> On 5 Jun 2019, at 17:20, Justin Azoff <justin at corelight.com <mailto:justin at corelight.com>> wrote:
>> 
>> On Wed, Jun 5, 2019 at 12:11 PM Merril Mathew <merril.mathew at baby2body.com <mailto:merril.mathew at baby2body.com>> wrote:
>> Hi Justin,
>> 
>> Thanks. But it did not work for me.
>> 
>> Did not work how?  Did you post the version of the script that didn't work? 
>> 
>> -- 
>> Justin
> 
> 
> 
> -- 
> Justin
> 
> 
> -- 
> Justin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190607/d1396181/attachment.html

More information about the Zeek mailing list