zeek July 2013

zeek@lists.zeek.org

24 participants
26 discussions

by Champion,Jerry

I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png@01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png@01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589

7 years, 2 months

[Bro] Additional Records in DNS

by Chris Crawford

I'm trying to write a bro script that pulls out authoritative nameservers and additional records from DNS. I think I need the the dns_EDNS_addl event to get at that part of a DNS reply, since the dns_edns_additional structure seems like it has the information I'm looking for: http://trac.bro-ids.org/sphinx-git/scripts/base/init-bare.html#type-dns_edn… Unfortunately, it looks like dns_EDNS_addl isn't implemented yet: # scripts/base/protocols/dns/main.bro 318 # TODO: figure out how to handle these 324 #event dns_EDNS_addl(c: connection, msg: dns_msg, ans: dns_edns_additional) Has anyone worked out a way to grab this information from a DNS reply? If not, could anyone point me in the right direction so that I can roll my own solution? -Chris

7 years, 8 months

[Bro] Bro working with a Cisco Ironport WSA

by Chris Bennett

I was trying out BRO and was using a span port from the inside interface of our firewall. I was wondering about if there is any feature in BRO that you can use to understand all the redirection that happens because of our new Cisco WSA. BRO is going bonkers with all the half-open sessions, etc that the WCCP redirects from the firewall to the WSA cause. I am thinking that I will have to better engineer where I am looking at traffic, but I thought I would ask first. Thanks for any insight you can provide. Chris Bennett, CISSP, GSNA Dir. of Information Security and Infrastructure Support Lansing Community College 517-483-5264

8 years, 2 months

[Bro] SSL: Check Certs Revoked

by Jessica Smith

Hi, how can I check if a X.509 certificate has been revoked? Thanks in advance. Jessica.

8 years, 2 months

Re: [Bro] Elastic Search

by Vlad Grigorescu

On Jul 29, 2013, at 1:23 PM, Bob Probert <bruisebrotherprobert(a)gmail.com> wrote: > Seth, > > I read on the security-onion list that Bro's Elastic Search writer doesn't write the correct metadata indexes for use with Kibana. Can you elaborate? > > https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0 Previous versions of Kibana were designed to only work with Logstash data, which introduces certain assumptions about the way the data is stored. At one point, I had a fork of Kibana that worked with Bro, because it allowed extra configuration. I haven't updated it with the release of Kibana3, and don't intend to. Kibana3 might be flexible enough to support Bro's data, but I haven't checked yet. If you are interested in using Kibana, I would advise you to be *very* careful about the risks introduced by allowing a user's browser to directly query ElasticSearch. ElasticSearch has no security protections, and all it takes is a curl -XDELETE es.local:9200 to delete all your log data. Kibana does come with a sample nginx config, so I would definitely look at that at least. > Also, I read in the comments of "elasticsearch.bro" that there is some sort of memory leak either in the elastic search writer or elastic search itself? Can you also elaborate on this? > > http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro Bro queues undelivered log messages in memory. If Bro is logging faster than ElasticSearch can accept logs, more and more memory is used. There's no memory leak - if your ElasticSearch server can't keep up, the logs simply have nowhere to go, and instead of being dropped, they just queue up on the manager. --Vlad

8 years, 2 months

[Bro] Elastic Search

by Bob Probert

Seth, I read on the security-onion list that Bro's Elastic Search writer doesn't write the correct metadata indexes for use with Kibana. Can you elaborate? https://groups.google.com/forum/#!topic/security-onion/mmxZfVfO0D0 Also, I read in the comments of "elasticsearch.bro" that there is some sort of memory leak either in the elastic search writer or elastic search itself? Can you also elaborate on this? http://www.bro-project.org/sphinx-git/_downloads/elasticsearch.bro Thanks!!

8 years, 2 months

[Bro] vulnerable.bro error on check, Was RE: Myricom and Bro

by Tyler T. Schoenke

> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error. Is it safe to assume accounts didn't get ported over to the new Tracker? Tyler

8 years, 2 months

Re: [Bro] vulnerable.bro error on check

by Vlad Grigorescu

On Jul 27, 2013, at 7:00 PM, Tyler T. Schoenke <tyler.schoenke(a)colorado.edu> wrote: >> fatal error in /opt/bro/share/bro/policy/frameworks/software/vulnerable.bro, line 41: BroType::AsRecordType (table/record) (set[record { min:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; max:record { major:count; minor:count; minor2:count; minor3:count; addl:string; }; }]) > > Not trying to hijack the thread, but ditto for me on the above message. I just updated to git master today after running an old version for a long time. Commenting out f/s/vulnerable in local.bro bypasses error. The way vulnerable software is specified has changed to allow for more flexibility. Here's what my local.bro has, for example: > global java_1_6_vuln: Software::VulnerableVersionRange = [$max=[$major=1,$minor=6,$minor2=0,$minor3=44]]; > global java_1_7_vuln: Software::VulnerableVersionRange = [$min=[$major=1,$minor=7], $max=[$major=1,$minor=7,$minor2=0,$minor3=20]]; > > redef Software::vulnerable_versions += { > ["Java"] = set(java_1_6_vuln, java_1_7_vuln) > }; This defines any Java <= 1.6.0.44 and any Java >= 1.7 and <= 1.7.0.20 as vulnerable. >From CHANGES: > 2.1-366 | 2013-03-17 12:35:59 -0700 > > * Improvements to vulnerable software detection. (Seth Hall) > > - Add a DNS based updating method. This needs to be tested > still. > > - Vulnerable version ranges are used now instead of only single > versions. This can deal with software with multiple stable > major versions. > > * Update software version parsing and comparison to account for a > third numeric subversion. Also, $addl is now compared numerically > if the value is actually numeric. (Seth Hall) > Is it safe to assume accounts didn't get ported over to the new Tracker? See: <http://blog.bro.org/2013/07/bug-tracker-migration.html>, specifically: > The most significant thing users should note is that as part of the import in to JIRA, accounts have been created with the same usernames as were in Trac, however password resets need to be requested before they can be used to log in. This can be done by selecting the "Unable to access your account?" link from the log in screen to request password reset instructions via email. Hope this helps, --Vlad

8 years, 2 months

[Bro] Request for Handholding - BIF Extending

by anthony kasza

Hey Bro, I'm wondering if any examples or walk-throughs exist for extending Bro's set of built in functions. Perhaps some dumby C++ code that I could play around with that outlines some basics, similar to what example.bro (http://bro.org/sphinx/_downloads/example.bro) does for script land. Does anyone have any suggestions or starting points? Thanks all, -AK

8 years, 2 months

[Bro] questions about binpac

by nicolas.retrain＠cea.fr

Hi, I am trying parse BER with binpac, but I have some difficulties, and I wonder if there is a clean way to implement the protocol. -First, is it possible to use recursive code in binpac? type A = record { field1 : uint8; field2 : case field1 of{ [...] 0x10 -> value : B; [...] }; }; type B = record { [...] field1 : A; } This kind of dependency give me "error 139" at compilation time. (Sorry for writing code in a email..) -Secondly, I need to do some computations on the current byte to know how to parse the next ones. I can sum up the problem, for instance, with the length field. Due to the X.690 documentation (https://www.itu.int/rec/T-REC-X.690-200811-I), the algorithm is : -if the lead bit of the first byte is 0, then the byte is the packet length. ex : 0x20 0x02 0x01 0x.. ^ | ---- -- -- -- ... |other fields | | length -else , the 7 other bits of the first byte give then number of byte to parse in order to retrieve the packet length. ex : 0x84 0x00 0x00 0x00 0x41 0x.. ^ ^ | -- ... |other fields |-- -- -- -- -- -- -- --| length In my binpac I have tried something with &let and &if, but it was not working. Is there a way to do it in full binpac code? (otherwise I will write it in C++). Thanks for your help ! Nicolas

8 years, 2 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2013