zeek July 2014

zeek@lists.zeek.org

43 participants
34 discussions

by James Lay

Hey All, So I run bro instead of broctl. Currently, if I stop a running bro, and start it again, bro overwrites any previous log files...is there a way to change this behavior? Thank you. James

6 years, 11 months

[Bro] A question on barnyard2 integration

by James Lay

Ok actually two questions: 1) I'm not able to get this to load with either: @policy/integration/barnyard2 @integration/barnyard2 And from barnyard2 docs: alert_bro ---------------------------------------------------------------------------- Purpose: Send alerts to a Bro-IDS instance. Arguments: hostname:port Examples: output alert_bro: 127.0.0.1:47757 How do I set the port that bro listens to? Thank you. James

7 years

[Bro] filter extension

by roi hatam

Hello I'm try to sniff http requests, but I don't want to see any kind of pictures like gif, jpg ,png ... What is the earliest stage that I can block those file extensions ? the pcapfilter?

7 years

[Bro] SSLBL

by James Lay

Interesting: https://sslbl.abuse.ch/blacklist/ Wonder if bro can support this? James

7 years

[Bro] File extraction filters

by Mike Kolkebeck

I have two questions on the file extraction framework: 1) If I only want to capture files from a specific worker or ip ranges, what is the best/simplest way to ensure that this happens? -I've tried using f$info$tx_hosts with event file_new, but this seems inconsistently populated, and using f$conns with event file_new seems consistent, but I don't know if it's the best/simplest way. 2) If missing_bytes > 0, what is the best/simplest way to remove the file (and possibly clear it from logging a successful extract in the files.log file)? -I've tested using event file_state_remove, and I can use system to rm the file, but again I'm not sure this is the best/simplest way, and the files.log continues to show this as extracted.

7 years

[Bro] Identifying interface when running with multiple interfaces

by James Lay

Hey all, So I run bro with: /usr/local/bin/bro --no-checksums -i eth0 -i ppp0 local "Site::local_nets += { x.x.x.x/32,192.168.1.0/24 }" & Is there something I can do to add a field that would let me know which interface the traffic came in on? Obviously in this example it's pretty simple...private IP space will be on eth0 whereas public will be on ppp0. I am thinking of scenarios where there might be the same IP space on several interfaces. Thanks for any guidance. James

7 years

[Bro] Bro + Yara File Scanning Module?

by Jason Batchelor

Hello all: I wanted to poke the hive mind to see if anyone has considered, or is actively pursuing integrating Yara into a Bro script? An idea for a script I would like to write is to simply take any file from a 'file_new' event. Then add something like Files::ANALYZER_YARA that would do the heavy lifting and take a user defined path to a master Yara file, scan the file, append the results to either files.log or notice.log, and finally, extract any file that hit on a signature (for further analysis). Interested if this is something that has been considered previously? If so, what were the results? If not, I'm happy to spin off an effort of my own. Either way I see it as a good project to get into Bro scripting at a deeper level. Thanks, Jason

7 years

[Bro] How to extract data to a eml file from smtp traffic

by Robert_Yang＠trendmicro.com.cn

Hi everyone, I want to extract the whole data to a eml file from smtp traffic. And the system event - file_new() only save every mime entity of an email as a file instead of the whole email. This is not I want. I try to add an event in ./share/bro/base/protocols/smtp/file.bro. event smtp_data(c: connection, is_orig:bool, data:string) { print fmt("DATA %d", |data|); } I print size of every data. The amount of every data size is always less than actually size the eml file ( 23137 Byte < 23831 Byte). So what I miss? And how to save data to file in smtp_data event? Please help me about the above question if you are free. Thank you a lot! BR Robert Yang TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.

7 years

[Bro] Signature framework questions, endianess and bitwise operations

by James Feister

Had some questions about the signature framework for detecting an application protocol. Is it possible to manipulate bytes for endianness or will they always come in little endian? Is it possible to perform bitwise opperations on payload bytes so that you may perform checks against subsets of bits within the byte? For example I have to look at the first 4 bits of a bigendian defined application layer protocol. For my test cases I can match signatures against a known 8 bit little endian regex but not sure how to get to 4 bits because the next 4 bits will change in an operational environment. If not Im guessing I would have to pump all traffic through my binpac analyzer and do the detection there? Thanks, James

7 years

[Bro] Couple elasticsearch questions

by James Lay

Hey all, A few questions: 1. Is there a proper way to set which logs to send to elasticsearch that I can use in local.bro instead of modifying logs-to-elasticsearch.bro? I am assuming that logs-to-elasticsearch.bro might change in future versions of bro. 2. The docs say to add @load tuning/logs-to-elasticsearch in local.bro...how can I send bro data to a remote elasticsearch server instead? 3. And lastly, as I look at the Brownian demo, I see that all the fields are correctly laid out..was this down with Brownian, or with elasticsearch itself? I'm trying to get bro data into logstash direct, instead of using log files. Thanks for any insight. James

7 years

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2014