Closed owengauci98 closed 6 months ago
We do not do support in issues (or discussions for that matter). The channels to request support are our forum or Zeek Slack.
As general feedback, it is not clear to me how to reproduce this issue with the given information. In particular when base scripts are changed making clear every changed bit is crucial. Typically a better approach is to change configuration values in local.zeek
(the variables you changed are all marked &redef
), e.g.,
@load policy/protocols/ssh/detect-bruteforcing
@load policy/protocols/http/detect-sqli
redef SSH::password_guesses_limit = 5;
redef SSH::guessing_timeout = 1min;
redef HTTP::sqli_requests_threshold = 3.0;
redef HTTP::sqli_requests_interval = 1min;
For my setup this produces Zeek SQL injection notices if I perform the following query derived from the Zeek test suite
curl "http://example.com/index.asp?ID=1'+139+'0"
This also produces SSH bruteforcing notices for me when I run against this file in the Zeek test suite.
Hi, I have installed Zeek (6.2.0-dev.481) on Ubuntu 22 to for a personal little project to test SQLi and SSH Bruteforce/Dictionary attacks in my own network. For some reason doesn't generate notices when I test these attacks.
networks.cfg
node.cfg
local.zeek
detect-sqli.zeek
### detect-bruteforcing.zeek