Creating a module and accessing an event in another script

Please find attached. It complains on the first if statement that auth_success is missing. At line 14 for !rec$auth_success.

alert_ssh_attempt_new.bro (959 Bytes)

The first line should be

if(!rec?$auth_success) {

not

if(!rec$auth_success)

Hi Justin,

Now it sends the email. But it executes the “if(!rec?$auth_success)” condition and I am getting message “unknown”. Which means auth_success is not found on live traffic, so the error remains I think.

Kind regards,
Merril.

probably this https://www.zeek.org/documentation/faq.html#why-isn-t-zeek-producing-the-logs-i-expect-a-note-about-checksums ?

Hi Justin,

You are a life saver. :slight_smile: That did the trick.

I also have one more question. I been searching online to understand how a function can return a user defined record and have not come across one yet.

function set_session(c: connection, var: string): record
{
local info: SSH::Info;
return info;
}
This doesn’t work. Am I on the right path here?

Kind regards,
Merril.

Hi Justin,

You are a life saver. :slight_smile: That did the trick.

awesome :slight_smile:

I also have one more question. I been searching online to understand how a function can return a user defined record and have not come across one yet.

function set_session(c: connection, var: string): record
{
local info: SSH::Info;
return info;
}
This doesn’t work. Am I on the right path here?

Close…

function set_session(c: connection, var: string): SSH::Info

should work.