[Zeek] Send email on any SSH attempt

Merril Mathew merril.mathew at baby2body.com
Thu May 30 07:10:53 PDT 2019 

Hi Anthony,

Thank you for the reply. I have changed the files as suggested by you
(please find new files attached for reference). I loaded both
zeek_mail.zeek and zeek_mail2.zeek to local.zeek ( eg. @load
/usr/local/bro/share/bro/site/zeek_mail.zeek). I restarted the zeekctl
`zeekctl deploy`. Then I logged out of my AWS ec2 server and logged back
in. I can see ssh.log under $PREFIX/logs/current but no notice.log and I
did not receive an email . I am not sure if there is something else I am
missing.

Please note that I have MailTo="email at address" set in my zeekctl.cfg and I
can send an email using sendmail manually and Zeek seems to send emails on
connection summary and capture loss fine. I tried most of the resources
available to the best of my efforts on notice available online
without success. Any help would be much appreciated.

Kind regards,
Merril.

On Thu, 30 May 2019 at 14:30, anthony kasza <anthony.kasza at gmail.com> wrote:

> Hi Merril,
>
> In zeek_mail.zeek, change "$note=Notice::Login_attempted" to
> "$note=SSH::Login_attempted". This is because you exported the additional
> notice type from the SSH module namespace.
>
> I'm not completely sure, but you may need to change the second @load
> directive in zeek_mail2.zeek to "zeek_mail" instead of
> "alert_ssh_attempted.zeek".
>
> -AK
>
> On Thu, May 30, 2019, 03:48 Merril Mathew <merril.mathew at baby2body.com>
> wrote:
>
>> Hi All,
>>
>> I am very new to Zeek. I was trying to send an email on any SSH attempt,
>> regardless of success or fail. The notice framework is really confusing and
>> I could not find much information online. :) Would be great if someone can
>> explain to me what I need to do to solve this specific issue.
>>
>> Please find attached what I have tried so far. Please also note that
>> whenever I tried to run my scripts with pcap file it generates a
>> notice.log. However if I load my script to local.zeek then I cannot find
>> any notice.log in $PREFIX/bro/logs/current.
>>
>> zeek_mail.zeek is where the Notice implementation is done and
>> zeek_mail2.zeek is where the notice hook is applied.
>>
>> Kind regards,
>> Merril.
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/461beaa1/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeek_mail.zeek
Type: application/octet-stream
Size: 350 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/461beaa1/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zeek_mail2.zeek
Type: application/octet-stream
Size: 215 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190530/461beaa1/attachment-0003.obj

More information about the Zeek mailing list