[Zeek] Send email on any SSH attempt
anthony kasza
anthony.kasza at gmail.com
Thu May 30 06:30:21 PDT 2019
Hi Merril,
In zeek_mail.zeek, change "$note=Notice::Login_attempted" to
"$note=SSH::Login_attempted". This is because you exported the additional
notice type from the SSH module namespace.
I'm not completely sure, but you may need to change the second @load
directive in zeek_mail2.zeek to "zeek_mail" instead of
"alert_ssh_attempted.zeek".
-AK
On Thu, May 30, 2019, 03:48 Merril Mathew <merril.mathew at baby2body.com>
wrote:
> Hi All,
>
> I am very new to Zeek. I was trying to send an email on any SSH attempt,
> regardless of success or fail. The notice framework is really confusing and
> I could not find much information online. :) Would be great if someone can
> explain to me what I need to do to solve this specific issue.
>
> Please find attached what I have tried so far. Please also note that
> whenever I tried to run my scripts with pcap file it generates a
> notice.log. However if I load my script to local.zeek then I cannot find
> any notice.log in $PREFIX/bro/logs/current.
>
> zeek_mail.zeek is where the Notice implementation is done and
> zeek_mail2.zeek is where the notice hook is applied.
>
> Kind regards,
> Merril.
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/4edce322/attachment.html
More information about the Zeek
mailing list