zeek-dev June 2017

zeek-dev@lists.zeek.org

5 discussions

[Bro-Dev] input-framework file locations

by Aashish Sharma

I have been thinking and trying different things but for now, it appears that if we are to share policies around, there is no easy way to be able to distribute input-files along with policy files. Basically, right now I use redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ; and then expect everyone to edit path as their setup demands it and place accompanying sample file in the directory or create one for themselves - this all introduces errors as well as slows down deployment. Is there a way I can use relative paths instead of absolute paths for input-framework digestion. At present a new-heuristics dir can have __load__.bro with all policies but input-framework won't read files relative to that directory or where it is placed. redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ; Something similar to __load__.bro model Also, one question I have is should all input-files go to a 'standard' feeds/input dir in bro or be scattered around along with their accompanied bro policies (ie in individual directories ) Something to think about as with more and more reliance on input-framework i think there is a need for 'standardization' on where to put input-files and how to easily find and read them. Aashish

3 years, 3 months

[Bro-Dev] iosource: pcap_set_timeout vs pcap_set_immediate

by Valerio

Hi all, looking at PcapSource::OpenLive() in iosource/pcap/Source.cc I was wondering whether it would be better to use pcap_set_immediate instead of "setting the smallest time-out possible" with pcap_set_timeout. Could it be that, especially in high-throughput environments, the introduced timeout in polling on the socket buffer may cause initial packet loss? best, Valerio

3 years, 5 months

[Bro-Dev] Bro Package Manager: list of packages

by Dopheide, Jeannette M

Attention Bro Community, While we’re in the process of developing a web site for the Bro Package Manager project, we’d like to share the packages we have collected so far. The package names and a short description are listed below: bro/0xxon/bro-postgresql - A PostgreSQL reader and writer for Bro. bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str). bro/corelight/bro-long-connections - Find and log long-lived connections into a "conn_long" log. bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation. bro/dopheide/venom (installed: master) - https://security.web.cern.ch/security/venom.shtml bro/hhzzk/dns-tunnels - Detect DNS Tunnels attack. bro/initconf/CVE-2017-5638_struts.git bro/initconf/phish-analysis.git bro/initconf/scan-NG bro/j-gras/add-json - Additional JSON-logging for Bro. bro/j-gras/bro-af_packet-plugin - This plugin provides native AF_Packet support for Bro. bro/j-gras/intel-extensions - Extensions for Bro's intelligence framework. bro/joesecurity/Joe-Sandbox-Bro - JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox. bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling. bro/jsiwek/bro-test-package - An example Bro package for testing purposes. bro/jswaro/tcprs - TCP Retransmission and State Analyzer plugin for Bro. bro/ncsa/bro-interface-setup - A broctl plugin that helps you setup capture interfaces bro/pgaulon/bro-notice-slack - Bro Notices through Slack webhook bro/scebro/ldap-analyzer - LDAP write operations analyzer for Bro. bro/sethhall/bro-myricom - Packet source plugin that provides native Myricom SNF v3+v4 support. bro/sethhall/credit-card-exposure - Detect credit card numbers in HTTP and SMTP with Bro. bro/sethhall/domain-tld bro/sethhall/ssn-exposure - Detect US Social Security numbers in HTTP and SMTP with Bro. bro/srozb/dns_axfr - Find and notice DNS zone transfer attempts. bro/theflakes/bro-large_uploads - Raise notices on outgoing files over X bytes in size. To learn how to use the Package Manager, see our documentation here: http://bro-package-manager.readthedocs.io/en/stable/index.html ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

3 years, 5 months

[Bro-Dev] clusterization issue: logger node vs manager node or both ?

by Aashish Sharma

SO with the emergence of logging node, I am encoutering an issue with clusterization and was seeking feedback on whats a better way to do this. Presently I have been using: @if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) || ! Cluster::is_enabled()) @end if and events worker2manager_events and manager2worker_events. With logging node: I can surely do "Cluster::local_node_type() == Cluster::LOGGER" and then events logger2manager_events and logger2worker_events etc etc so on so forth. The issue I am facing is that to begin with I don't know if someone is only going to run manager only or if someone is going to run logger node as well, making the following clumsy: - @if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::MANAGER ) || ! Cluster::is_enabled()) - if manager then use worker2manager and manager2worker events OR - @if (( Cluster::is_enabled() && Cluster::local_node_type() == Cluster::LOGGER) || ! Cluster::is_enabled()) - if logger then user logger events ? Any thoughts on how to handle existence or non-existence of logger node in a clusterization scheme ? Aashish

3 years, 6 months

Re: [Bro-Dev] Bro Package Manager Questionnaire

by Dopheide, Jeannette M

Friendly reminder to fill out this questionnaire. Thanks to those who have responded so far! ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign On 5/30/17, 1:09 PM, "bro-dev-bounces(a)bro.org on behalf of Dopheide, Jeannette M" <bro-dev-bounces(a)bro.org on behalf of jdopheid(a)illinois.edu> wrote: The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable. Please let us know what features you would like to see by filling out our questionnaire: https://goo.gl/forms/VyVH1aRIBB2qdZF53 ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign _______________________________________________ bro-dev mailing list bro-dev(a)bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

3 years, 6 months

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

zeek-dev June 2017