zeek December 2015

zeek@lists.zeek.org

45 participants
34 discussions

[Bro] Problem with connections in S1 and SF state

by Sven Dreyer

Dear list, I'm having trouble understanding some log entries from my conn.log. I already learned from this mailing list that bro cannot surely detect who initiated a connection if it does not see the initial connection setup, which seems logical to me. But if I look to my conn.log file, I find entries like these: 1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993 192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340 S1 F T 0 ShAD ad 20 2050 19 6112 (empty) 1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993 192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908 S1 F T 0 ShAD ad 39 2956 36 20360 (empty) It looks like our IMAP server (87.152.221.xxx running on port 50993) initiated a connection to my notebook (192.168.100.yyy). That should not be possible due to lack of port forwarding for this connection. So my first guess is that bro didn't see the initial connection setup (midstream traffic, OTH state). But I took a look into the documentation on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html regarding the reported states (S1), which says: S1 Connection established, not terminated. This looks to me like bro saw the connection setup. Or did I get something wrong here? Oh and by the way: the next paragraph reads: SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. I don't understand this. Do S1 and SF really only differ in byte count zero or non-zero? It seems to me that they also differ in "connection still alive" and "connection was terminated". Looking further trough the logs, I also find entries with "SF" flag in whuch source and destination seem twisted: 1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993 192.168.100.yyy 20108 tcp -462.348551 401 754 SF F T 0 DdAfFa 13 921 12 1234 (empty) Does anybody have a hint? Did I misunderstand something? I'm running bro 2.4.1. Thanks a lot! Sven

5 years, 5 months

[Bro] Implementing new layer 2 Protocol

by j2om1350＠unibw.de

Hi all, My goal is to integrate a new protocol analyzer in Bro. This protocol (PROFINET dyscovery and Basic Configuration Protocol) is working on layer 2. My question is, are there special considerations to get at the data of the layer 2? My colleague has tried creating an analyzer by following your instructions for coding an analyzer by binpac. Before he went on vacation, he told me, he could access data with binpac of layer 3 but not of layer 2? Is that correct? If so does it work with the new binpac ++? Any pieces of advice or suggestions how to get started would be greatly appreciated. Kind regards Marcel Odenwald

5 years, 7 months

[Bro] Fwd: log writer issue

by György Miru

Hello List, I am developing a Bro analyzer plugin and I have the following issue. The analyzer logs events into three different logfiles, one of which keeps crashing with this error: Reporter::ERROR s7data/Log::WRITER_ASCII: terminating thread This happens before the first event is logged, however the headers are already written into the logfile. I am fairly new to the Bro development so it might be some obvious mistake I make, but I could not find any solution on the internet. I have attached the following files: init_part.bro: the relevant part of the script, used for the logging reporter.log: logfile that contains the error s7data.log: the logfile that causes the crash debug_s7data.log: relevant part of the debug.log file, when bro was run with -B threading switch strace_4938: relevant part of the strace -f output When creating the attached logs bro-2.4 was used, but I tested the analyzer with bro-2.4.1 as well and the problem persists. I hope someone can point out the origin of the error and help me resolve this issue. Thanks, Gyorgy Miru

5 years, 9 months

[Bro] Underscores in field names

by Oliver Keyes

Heya, >From the guide to the various log files (https://www.bro.org/sphinx/script-reference/log-files.html) and some example files I've accumulated it looks like nested fields are represented in "flat" log files with period delimiters. So the orig_h field within the id field becomes id.orig_h. Is this correct? At the same time I'm seeing files with underscores instead of periods. >From what I can see on this mailing list and elsewhere, this is a logging setting - people can switch out periods for underscores to cover the situation where the software they read the logs /into/ does not like periods. My question: can I expect this to be consistent? In other words, for files to either use periods or underscores, but not both at once?

5 years, 10 months

[Bro] [Bro advanced Architecture ]

by Quentin Ricard

Dear broers, I'm currently working on a project involving Bro's core. The idea is to adapt Bro into another architecture and reusing the Protocol Analyser as well as the event engine (not only developing plugins). The problem is that I cannot find enough information on the GitHub/Bro.org web sites. Even In the Doxygen there is no information about the architecture in details (Classes involved etc). So I was wandering if some of you guys had those kind of documents ? If not I'll gladly edit them for you if someone helps me with the architecture details. Sincerely, Quentin Ricard.

5 years, 10 months

[Bro] Issue when Bro is reading a file which capturing live traffic

by Hashem Alaidaros

Hi All, I run tcpdump live to capture the traffic into a file using "-w". Then I run bro to read that file offline using "-r". Both instances are running continuously. First it works fine but then bro stop generating results although it keep running, this means bro didn't continue reading from the file. Is it because bro -r is faster than the live capturing? How to let bro keep reading the file (this file is continuously increasing) My bro version: 2.3 running on ubuntu platform. Thanks -- A friend in need Is a friend indeed

5 years, 10 months

[Bro] Bro dot problem

by Vito Logrillo

Hi all, as you known, Elasticsearch is unable to menage fields with a dot separator. Until now I've used the Bro json output: the output logs were sent to Elastich through Logstash; from Elasticsearch 2.0 this is not possible. Is there a way to substitute a dot with another character? Thanks, Vito

5 years, 10 months

[Bro] How to let Packet filter reading from a file

by Hashem Alaidaros

Dears I want to use packet filtering framework supported by Bro. It filters based on static IP address. But in my case, I want the filter to read IP address from from a dynamic file (a file that is updated from another bro instance). How to do that? My bro version: 2.3 running on ubuntu platform. Thanks in Advance -- A friend in need Is a friend indeed

5 years, 10 months

[Bro] OSPF Dissector

by reda sabir

Hello everyone, I was wondering if is it possible to make an analyzer of OSPF with Binpac. The problem that I face is that OSPF is a layer 4 (there's no tcp or udp). Can anyone give me a solution of my problem? Thanks you, Reda Sabir

5 years, 10 months

[Bro] issues with file extraction. Multiple files created.

by Giedrius Ramas

Hello, I have been experienced strange behavior of BRO file extraction . Here you can see what is extracted in bro extract directory. 0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf 0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1 0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1.1 0 Dec 13 06:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1.1.1 0 Dec 6 06:57 HTTP-FZyPZr1vrwJ5czHazj.swf.1.2 0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.2 0 Dec 13 06:42 HTTP-FZyPZr1vrwJ5czHazj.swf.2.1 359 Dec 1 09:36 HTTP-FZyPZr1vrwJ5czHazj.swf.3 Where should I check for troubleshoot ? I just expected to have one file extracted 359 Dec 1 09:36 HTTP-FZyPZr1vrwJ5czHazj.swf instead of those multiples with zero bytes.

5 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2015