[Zeek] Send email on any SSH attempt

Merril Mathew merril.mathew at baby2body.com
Thu May 30 02:45:01 PDT 2019


Hi All,

I am very new to Zeek. I was trying to send an email on any SSH attempt,
regardless of success or fail. The notice framework is really confusing and
I could not find much information online. :) Would be great if someone can
explain to me what I need to do to solve this specific issue.

Please find attached what I have tried so far. Please also note that
whenever I tried to run my scripts with pcap file it generates a
notice.log. However if I load my script to local.zeek then I cannot find
any notice.log in $PREFIX/bro/logs/current.

zeek_mail.zeek is where the Notice implementation is done and
zeek_mail2.zeek is where the notice hook is applied.

Kind regards,
Merril.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/ebf47a4d/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeek_mail2.zeek
Type: application/octet-stream
Size: 225 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/ebf47a4d/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeek_mail.zeek
Type: application/octet-stream
Size: 353 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/ebf47a4d/attachment-0001.obj 


More information about the Zeek mailing list