Please find attached. It complains on the first if statement that auth_success is missing. At line 14 for !rec$auth_success.
alert_ssh_attempt_new.bro (959 Bytes)
The first line should be
if(!rec?$auth_success) {
not
if(!rec$auth_success)
Hi Justin,
Now it sends the email. But it executes the “if(!rec?$auth_success)” condition and I am getting message “unknown”. Which means auth_success is not found on live traffic, so the error remains I think.
Kind regards,
Merril.
probably this https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums ?
Hi Justin,
You are a life saver. 
That did the trick.
I also have one more question. I been searching online to understand how a function can return a user defined record and have not come across one yet.
function set_session(c: connection, var: string): record
{
local info: SSH::Info;
return info;
}
This doesn’t work. Am I on the right path here?
Kind regards,
Merril.
Hi Justin,
You are a life saver.
That did the trick.
awesome
I also have one more question. I been searching online to understand how a function can return a user defined record and have not come across one yet.
function set_session(c: connection, var: string): record
{
local info: SSH::Info;
return info;
}
This doesn’t work. Am I on the right path here?
Close…
function set_session(c: connection, var: string): SSH::Info
should work.