Help with bro scripting exercise question

Hello all, trying to learn bro scripting. I am working through the exercises from the 2011 workshop and I’m getting an error.

I’m on this page:

I’m on Pt3 More Advanced Policy Notice running this script:

const watched_servers: set[addr] = {,,
} &redef;

redef Notice::policy += {
	[$action = Notice::ACTION_ALARM,
	 $pred(n: Notice::Info) =
		return n$note == SSH::Login && n$id$resp_h in watched_servers;

And I'm getting an error that says

#bro -r ssh.pcap local advancebro.bro 
error in ./advancebro.bro, line 10: unknown identifier SSH::Login, at or near "SSH::Login"

Sorry that code is out of date! Quite a few years have passed since
that workshop. Are you just trying to go through the workshop code or
are you actually trying to achieve a particular behavior? If you're
trying to achieve a behavior, I can help you out with the more modern
way to do that if you'd like. If you are just trying to go through
the workshop code then I'd say to just skip that one. :slight_smile:

Have you look at the exercises on


I’m trying to do several things. My main goal is to learn how to script so I can build notices and alerts based on threats specific to my environment.

Right now, I’m trying to figure out how to get bro to send an email when it generates a notice.

I’ve been looking at this page:

and this page:

and this email from the archive:

and this reference from a google search:

But my attempt at putting all of that together using the example script from the aforementioned 2011 exercise isn’t working…

#redef Notice::alarmed_types += {
redef Notice::ignored_types += {

redef Notice::mail_dest = “”;

hook Notice::policy(n: Notice::Info)
if ( n$note == SSH::Password_Guessing )
add n$actions[Notice::ACTION_EMAIL];

Any direction you can provide would be helpful.

And yes, I’ve gone through most of those exercises at, but they don’t cover how to send notices via email.