zeek February 2014

zeek@lists.zeek.org

36 participants
35 discussions

by Champion,Jerry

I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png@01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png@01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589

7 years, 10 months

[Bro] Sanity check - Grabbing platform tokens from browser user agents (was p0f)

by Gary Faulkner

After being asked if Bro could be used to gather passive intelligence on OS usage I started investigating places to try to identify OS. I initially was looking into p0f and Seth showed me a way to invoke the existing p0f fingerprinting functionality within Bro, but also suggested a slew of other data sources to look at. I wasn't terribly excited with the p0f fingerprint output, and while browser user agents may not be the best data source, I decided to start by looking at platform tokens and reporting on those instead of the p0f data. This is my first-ish bro script and it is by no means a complete script (it only matches a handful of Windows OS). I'm wondering if folks see anything in the attached that would misbehave badly if used on live traffic instead of pcaps? Regards, -- Gary Faulkner

8 years, 1 month

[Bro] Writing JSON logs

by Tritium Cat

Bro, I made a patch for the Ascii log writer to write the logs in JSON format. This was thanks to the existing code from the ElasticSearch writer and copy/paste skill. But when I try to enable the writer at runtime there are errors. Why ? See patch. ( cd bro-2.2; patch -p1 < bro--write_json.patch ) Thanks, --TC event bro_init() { LogAscii::write_json=T; } results in # bin/broctl check manager failed. error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7: const is not a modifiable lvalue (LogAscii::write_json) proxy-1 failed. error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7: const is not a modifiable lvalue (LogAscii::write_json) worker-1 failed. error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7: const is not a modifiable lvalue (LogAscii::write_json) worker-2 failed. error in /usr/local/3rd-party/bro/share/bro/site/local.bro, line 7: const is not a modifiable lvalue (LogAscii::write_json)

8 years, 2 months

[Bro] bug in ssl_alert event?

by Jessica Smith

Hi, why when I print the "level" of the alert message I get numbers different from 1 (warning) or 2 (fatal) ? event ssl_alert(c: connection, is_orig: bool, level: count, desc: count) { print fmt("%d %d", level, desc); } #out 61 173 123 165 13 61 200 80 8 121 187 31 144 218 82 243 6 224 237 72 115 121 92 152 196 44 2 255 141 216 42 88

8 years, 2 months

Re: [Bro] SMB Event Prototype Issue

by Pearson, David

Hello again, You can ignore my last question; I found Seth's topic github branch on SMB. Thanks, David

8 years, 2 months

[Bro] Mix different OSes as a workers in the same Bro cluster

by C. L. Martinez

Hi all, Is it possible to use different operating systems as a workers inside the same Bro cluster? I have a CentOS host acting as a Bro manager/proxy and 5 CentOS acting as a workers. Now, I need to add two FreeBSD hosts inside this cluster. I have do it a simple test in a VM environment, and CentOS manager has transferred Bro libraries and binaries to a FreeBSD vm configured as a worker inside the cluster. Is it possible to avoid this situation?? Thanks.

8 years, 2 months

[Bro] Question about Controller Framework

by Alexander Tsankov

Hi, I am trying to work with the bro control framework and I had two main questions about it: 1) Is it possible for one BRO script (Script 1) to send a request to another BRO script(Script 2), possibly on the same device , and for Script 2 to return a list of all of its local/global variables without Script 1 having known about any of them? I am working on an SDN project and my goal is to have a BRO box running a master script and whenever I send a generic bro script to the box, I am trying to get the new script to return a list of all variables to the master bro script(script 1), and from the master script, send it back to the original sender. 2) Is it possible for Script 1 to modify variables on script 2 on the fly? Any help is appreciated. - Alex

8 years, 2 months

[Bro] vector array of string used as a pattern for matching

by Kellogg, Brian D (OLN)

I'm trying to create an array of domain names that I want to use as a pattern to search on. I know the below is wrong; just looking for someone to educate me on how to do this in a Bro script if it can be done. thanks global ignoreDomains: vector of string = vector("webex.com", "pwc.com", "messagelabs.com","akamaitechnologies.com"); when (local dst = lookup_addr(c$id$resp_h)) { if (/ignoreDomains$/ in dst) return; } Thank you, Brian Kellogg Security Analyst; IT Governance, Risk, and Compliance 500 Paul Clark Drive, Olean, NY 14760 T: (716) 375-3186 | F: (716) 375-3557 www.dresser-rand.com<http://www.dresser-rand.com/> NYSE: DRC [Description: Description: Description: Description: Description: Description: d-r_wordraster3R-hi] Bringing energy and the environment into harmony(r) IMPORTANT NOTICE: This email may be confidential, may be legally privileged, and is for the intended recipient only. Unauthorized access, disclosure, copying, distribution, or reliance on any of it by anyone else is prohibited and may be a criminal offense. Please delete if obtained in error and email confirmation to the sender.

8 years, 2 months

[Bro] Send notices to a new log file instead of notice.log

by Shaleta Bennett

Is it possible to send notices to new log file instead of notice.log? If so, can anyone explain how this can be done? Thanks!

8 years, 2 months

[Bro] Bro problem - no software.log written

by עומר עומר

8 years, 2 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek February 2014