zeek February 2016

zeek@lists.zeek.org

34 participants
33 discussions

by Shawn Homan

I was wondering if anyone can tell me why the sha256 hash functionality isn't turned on by default for the files log. I am working on something and needed to turn it on. I normally only use Bro to process pcap files offline and have never used it on a live network. Does it cause performance issues? Thanks, Shawn

4 years

[Bro] Problem with connections in S1 and SF state

by Sven Dreyer

Dear list, I'm having trouble understanding some log entries from my conn.log. I already learned from this mailing list that bro cannot surely detect who initiated a connection if it does not see the initial connection setup, which seems logical to me. But if I look to my conn.log file, I find entries like these: 1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993 192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340 S1 F T 0 ShAD ad 20 2050 19 6112 (empty) 1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993 192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908 S1 F T 0 ShAD ad 39 2956 36 20360 (empty) It looks like our IMAP server (87.152.221.xxx running on port 50993) initiated a connection to my notebook (192.168.100.yyy). That should not be possible due to lack of port forwarding for this connection. So my first guess is that bro didn't see the initial connection setup (midstream traffic, OTH state). But I took a look into the documentation on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html regarding the reported states (S1), which says: S1 Connection established, not terminated. This looks to me like bro saw the connection setup. Or did I get something wrong here? Oh and by the way: the next paragraph reads: SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. I don't understand this. Do S1 and SF really only differ in byte count zero or non-zero? It seems to me that they also differ in "connection still alive" and "connection was terminated". Looking further trough the logs, I also find entries with "SF" flag in whuch source and destination seem twisted: 1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993 192.168.100.yyy 20108 tcp -462.348551 401 754 SF F T 0 DdAfFa 13 921 12 1234 (empty) Does anybody have a hint? Did I misunderstand something? I'm running bro 2.4.1. Thanks a lot! Sven

4 years, 8 months

[Bro] [bro] Scanning IP's

by Tim Desrochers

As with every infrastructure I am plagued with people scanning my external edge. I see little value in getting notices for scanning attempts and password guessing attempts but I do see value in running monthly reports and generating blocklists based on repeat offenders. Is there a way to tell the notice framework to only create alarms (emails) if it sees scans of any kind (address, port, password guessing, etc) if they are from the IP's in my $HOME_NET defined in network.cfg? Justification, If I redef Notice::ignored_types += { SSH::Password_Guessing, Scan::Address_Scan, Scan::Port_Scan, HTTP::SQL_Injection_Attacker, ShellShock::Scanner, ScanUDP::Address_Scan, ScanUDP::Port_Scan, }; Then I get no logging of the events anywhere. Therefore I can't run reports of offenders and build active blocklists or other intel gathering activities. If I: # Set rule to only email specific notice types: redef Notice::emailed_types += { Weird::Activity, Signatures::Sensitive_Signature, Signatures::Multiple_Signatures, Signatures::Multiple_Sig_Responders, Signatures::Count_Signature, Intel::Notice, TeamCymruMalwareHashRegistry::Match, Traceroute::Detected, FTP::Bruteforcing, FTP::Site_Exec_Success, HTTP::SQL_Injection_Victim, SMTP::Blocklist_Error_Message, SMTP::Blocklist_Blocked_Host, SMTP::Suspicious_Origination, SSH::Login_By_Password_Guesser, SSH::Interesting_Hostname_Login, }; Then I get flooded with email from any of the guessing activity (Side note: I find that the above logic doesn't restrict email notices to just those listed in the defined email types above. I still get plenty of notices about events not listed in the list above). If the redef Notice::emailed_types worked it would be a start but I'd still like to get emails about IP addresses in my internal net getting scanned by other IP's in my internal net, that definitely an indicator of unwanted behavior. Any assistance would be greatly appreciated. Just trying to tune things to a manageable level. Thanks Tim

4 years, 10 months

[Bro] Implementing new layer 2 Protocol

by j2om1350＠unibw.de

Hi all, My goal is to integrate a new protocol analyzer in Bro. This protocol (PROFINET dyscovery and Basic Configuration Protocol) is working on layer 2. My question is, are there special considerations to get at the data of the layer 2? My colleague has tried creating an analyzer by following your instructions for coding an analyzer by binpac. Before he went on vacation, he told me, he could access data with binpac of layer 3 but not of layer 2? Is that correct? If so does it work with the new binpac ++? Any pieces of advice or suggestions how to get started would be greatly appreciated. Kind regards Marcel Odenwald

4 years, 10 months

[Bro] About Bro Cluster Configuration

by Cristian Daniel Barbaro

Hello, I have a question about Bro Cluster architecture. By default, the cluster architecture has a frontend listening to a high-speed link; spliting traffic to each worker and to finally all workers information be administered by a manager using a proxy, etc. What we want to do is to have several workers analysing different networks segments and that each of those workers communicate with a manager, who will be responsible for managing all information and of course, enabling a centralized administration of workers configuration. Is it possible to do this? Thanks and regards. -- Cristian Daniel Barbaro CERTUNLP --

4 years, 10 months

[Bro] Bro handling of Microsoft BITS traffic

by Josh Guild

Hey all, I have a question about how Bro handles Micorsoft BITS (Background Intelligent Transfer Service) traffic since the file is only partially downloaded in the session it's monitoring. We've seen some traffic and it looks like Bro just shows as an incomplete file and doesn't carve it properly. Is there anything we can do to mitigate this? -- Josh Guild Network Intelligence Analyst <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>

4 years, 10 months

[Bro] Error while debugging bro in main.cc

by Aniket Savanand

Hello, I am trying to debug bro in Eclipse CDT . At the following line in main.cc, I am getting an error as "function init could not be resolved" // Must come after hash initialization. binpac::init(); I ran ./configure at home directory to generate makefile. and then I have imported source folder in CDT. Please direct my where I might be going wrong. Thanks Aniket Savanand MS San Jose State University -- *Regards, * *Aniket Savanand,* *MS Software Engineering 2016,* *San Jose State University, CA* *Email <aniket.savanand(a)sjsu.edu> **Cellphone- +1-669-226-8162*

4 years, 10 months

[Bro] NO DHCP.log

by Zafar Pravaiz

Hi , I am running SO 14.04. This is just capturing DNS and DHCP traffic on a span port. Recently i ran soup and reboot the box. After that i have noticed no DHCP log is showing up in bro log. i can see known_services shows DHCP as service but there no dhcp.log file being generate. Any clue what went wrong? I would appreciate any help Thanks Zafar

4 years, 10 months

[Bro] delay compress bro log rotation

by Brandon Glaze

Good afternoon, Is there a way to enable a "delay compress" type command (like in logrotate) for bro/broctl cron? I want to post process log files and it would be much more efficient if they were uncompressed. ===================== Brandon Glaze bglaze(a)gmail.com "Lead me, follow me, or get the hell out of my way." - General George Patton Jr

4 years, 10 months

[Bro] broctl errors related to replacement of ifconfig

by Harry Hoffman

Hi Folks, On later versions of Linux distros iproute2 replaces ifconfig with ip Starting at line 601 at https://github.com/bro/broctl/blob/master/BroControl/config.py It looks like ifconfig is hard-written into the logic. Probably needs a patch to check for the ip command. Cheers, Harry

4 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek February 2016