zeek April 2014

zeek@lists.zeek.org

42 participants
41 discussions

by Champion,Jerry

I am getting a Dependency is not satisfiable: libc6(<2.12) error message. [cid:image001.png@01CE5875.C815C190] I have run the required dependency: sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev libmagic-dev But I have version 2.17 [cid:image002.png@01CE5875.C815C190] Can someone assist me with this? VR Jerry Champion Information Secuity Engineer Synovus Financial Corp 706-644-4589

7 years, 2 months

[Bro] Bro Log Filename Question

by Jason Batchelor

Hello Bro Community: I was wondering if there was an easy way to modify log filenames that are placed into the spool directory. All I would like to to, is to simply append 'bro.' to the beginning of each filename. I searched around a bit thinking there may be a simple configuration option I could modify in the broctl.cfg file. Unfortunately however, I have not come upon any solution yet and feel like I am likely missing something obvious. As an example, I would like the prefix to be something like 'bro.conn.log' instead of 'conn.log' for all files being written to the '/var/opt/bro/spool/bro' directory. Is there a simple way to do this using the Bro application? Thanks very much for your time and assistance. -Jason

7 years, 4 months

[Bro] Module pf_ring not found.

by John Hoyt

I followed the steps for configuring load balancing here: http://www.bro.org/documentation/load-balancing.html Everything worked great, but I had to restart the server and now I can't load the PF_RING module. sudo modprobe pf_ring enable_tx_capture=0 min_num_slots=32768 FATAL: Module pf_ring not found. When I run: ldd /bro/bin/bro | grep pcap It get the following: libpcap.so.1 => /opt/pfring/lib/libpcap.so.1 (0x00007f3aeb8ff000) In the instructions it stated: "Refer to the documentation for your Linux distribution on how to load the pf_ring module at boot time." But I wasn't able to find any details on how to do so. Any suggestions? Thanks, John

7 years, 4 months

[Bro] Bro Cluster Dropped Packets

by M K

Is there any way to determine the cause of dropped packets? I'm running Bro Cluster (2.2) on a single machine with 1 manager, 1 proxy and 10 workers. The total number of workers is much less than the number of cpus in this machine (system load doesn't usually get higher than 2 and individual worker processes hover at around 30-40% cpu utilization). The machine has PF_Ring and related ethernet drivers installed. After looking at netstats there's always some dropped packets. The occasional dropped packet isn't usually a cause for concern but some workers show large numbers of dropped packets. I'd like to know what part of the process is bottle-necked and causing packets to be dropped. The documentation mentions that broctl cron logs stats but doesn't mention where they're located (didn't see anything in spool that looked like cluster runtime stats) or how to view the data. Anyone have any ideas?

7 years, 4 months

[Bro] Filenames not extracted in files.log

by Bob Probert

Hi all, After looking at an aggregate 30 days of files.log in Splunk, I noticed that 98% of the files identified by Bro have no filenames associated with them. While I haven't done any rigorous testing of this, it just seems wrong. Is this a known bug? Is anyone else experiencing this?

7 years, 4 months

[Bro] Bro Cluster Elasticsearch rotation_interval ignored

by M K

I'm testing out the ElasticSearch writer in a Bro Cluster (2.2 release) along with the Ascii writer. I've set LogRotationInterval to an hour (3600) in broctl.cfg which I know sets or overrides Log::default_rotation_interval and in my local.bro I've overridden the rotation_interval parameter of the ElasticSearch Logger (defined in logs-to-elasticsearch policy) to be every 24 hours. Apparently, Bro seems to be ignoring the rotation_interval value. I've tried not setting LogRotationInterval and setting Log::default_rotation_interval in my local.bro file but i got similar results. Is there anyway to have the Ascii writer use a 1hr rotation interval while the ElasticSearch writer uses a different one? Looking through the docs/code it doesn't look like LogAscii has a rotation_interval of its own.

7 years, 4 months

[Bro] Broctl policy files

by M K

Is there any guidance/information as to how things should be split up between the 3 types of site policies (manager, proxy, worker). Can it actually make a difference in performance or is it mainly there for organization purposes? As far as I can tell the docs only mention that notice filtering needs to be done on the manager and everything else can go into the generic local.bro file. Is there any further guidance?

7 years, 4 months

[Bro] Bro 2.1 support for sniffing on multiple interfaces faces

by Coen Bakkers

Does Bro 2.1 support sniffing on several interfaces at the same time? I have tried this now on a dozen of nodes, and the behavior does not seem to be consistent. Note that I am not trying to sniff an outbound and an inbound stream that are related, but I have a tap port on a separate network that I also interested in in covering. Sometimes multiple interfaces in node.cfg will work, but sometimes it makes Bro just hang and not record any of the http, dns, ftp logs etc..

7 years, 4 months

[Bro] bro sequence diagram

by Prateek Gupta

Hello, I wanted to know if there is an easy way to represent bro working in a sequence diagram? Any help is appreciated. Thank you, Prateek Gupta

7 years, 4 months

[Bro] File extraction and archive files

by Parker, Jonathan E.

I've been tasked to find files with a specific "signature" in the file header, where the file will be within an archive of files. This needs to be agnostic of the protocol that transported the archive file. I'm thinking the way to do this is to use the new File Analysis framework. Does Bro provide a mechanism to "automagically" extract the contents of an archive when it is an archive file that is being extracted from a protocol, or is this something I'm going to have to script myself? How can I know that a file has been fully received such that I can begin my analysis? Thanks - Jon

7 years, 4 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2014