Alert not generated on Security onion #7706
Replies: 1 comment
-
|
Did you load the script according to https://docs.securityonion.net/en/2.3/zeek.html#custom-scripts? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Script give alert on local ubuntu machine but not in security onion. Below is the zeek script:-
@load base/frameworks/files
@load base/frameworks/notice
export {
redef enum Notice::Type += {
Match
};
event smb2_negotiate_request(c: connection, hdr: SMB2::Header, dialects: index_vec) &priority=5
{
if(c$smb_state$current_cmd$command == "NEGOTIATE_PROTOCOL"){
NOTICE([
$note =Match,
$msg = "NEGOTIATE_PROTOCOL Request",
$conn = c
]);
}
}
event smb2_create_request(c: connection, hdr: SMB2::Header, request: SMB2::CreateRequest) &priority=5
{
c$smb_state$current_file$name = request$filename;
if(c$smb_state$current_file?$name && c$smb_state$current_cmd$command == "CREATE" ){
NOTICE([
$note = Match,
$msg = "Create Request",
$file_desc= c$smb_state$current_file$name,
$conn = c
]);
}
}
event smb2_tree_connect_request(c: connection, hdr: SMB2::Header, path: string) &priority=5
{
c$smb_state$current_tree$path = path;
if(c$smb_state$current_cmd$command == "TREE_CONNECT"){
NOTICE([
$note = Match,
$msg = "TREE_CONNECT Request ",
$sub = c$smb_state$current_tree$path,
$conn = c
]);
}
}
}
Beta Was this translation helpful? Give feedback.
All reactions