software.log

John_Babio1 · December 4, 2013, 4:12pm

Here is what I have so far. It is working but I don’t know if it is written correctly.

@load base/frameworks/notice

@load base/frameworks/software

module OLD_JAVA;

module HTTP;

export {

redef enum Notice::Type += {

OLD_JAVA::Java_seen,

};

}

event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=2

{

if ( Software::found(c$id, [$unparsed_version="Java/1.7.0_40", $host=c$id$orig_h]));

{

NOTICE([$note=OLD_JAVA::Java_seen, $msg=fmt("Old Java Seen")]);

}

Azoff_Justin · December 4, 2013, 4:43pm

You want to add $conn=c to the notice, otherwise it won't contain the
address information.

Topic		Replies	Views
Hui Lin_NOTICE function redefinition error Zeek	6	75	May 6, 2022
Bro Digest, Vol 92, Issue 4 Zeek	1	73	May 6, 2022
Question regarding an error Zeek	3	150	May 6, 2022
field value missing error Zeek	3	93	May 6, 2022
Checking for null/undefined variables Zeek	3	63	May 6, 2022