Hi All,
I am very new to Zeek. I was trying to send an email on any SSH attempt, regardless of success or fail. The notice framework is really confusing and I could not find much information online. 
Would be great if someone can explain to me what I need to do to solve this specific issue.
Please find attached what I have tried so far. Please also note that whenever I tried to run my scripts with pcap file it generates a notice.log. However if I load my script to local.zeek then I cannot find any notice.log in $PREFIX/bro/logs/current.
zeek_mail.zeek is where the Notice implementation is done and zeek_mail2.zeek is where the notice hook is applied.
Kind regards,
Merril.
zeek_mail2.zeek (225 Bytes)
zeek_mail.zeek (353 Bytes)
Hi Merril,
In zeek_mail.zeek, change “$note=Notice::Login_attempted” to “$note=SSH::Login_attempted”. This is because you exported the additional notice type from the SSH module namespace.
I’m not completely sure, but you may need to change the second @load directive in zeek_mail2.zeek to “zeek_mail” instead of “alert_ssh_attempted.zeek”.
-AK
Hi Anthony,
Thank you for the reply. I have changed the files as suggested by you (please find new files attached for reference). I loaded both zeek_mail.zeek and zeek_mail2.zeek to local.zeek ( eg. @load /usr/local/bro/share/bro/site/zeek_mail.zeek). I restarted the zeekctl zeekctl deploy. Then I logged out of my AWS ec2 server and logged back in. I can see ssh.log under $PREFIX/logs/current but no notice.log and I did not receive an email . I am not sure if there is something else I am missing.
Please note that I have MailTo=“email@address” set in my zeekctl.cfg and I can send an email using sendmail manually and Zeek seems to send emails on connection summary and capture loss fine. I tried most of the resources available to the best of my efforts on notice available online without success. Any help would be much appreciated.
Kind regards,
Merril.
zeek_mail.zeek (350 Bytes)
zeek_mail2.zeek (215 Bytes)