zeek May 2016

zeek@lists.zeek.org

45 participants
40 discussions

by Shawn Homan

I was wondering if anyone can tell me why the sha256 hash functionality isn't turned on by default for the files log. I am working on something and needed to turn it on. I normally only use Bro to process pcap files offline and have never used it on a live network. Does it cause performance issues? Thanks, Shawn

4 years

[Bro] Assertion failure, Tag.cc

by Michael Fry

Hi All, Has anyone encountered the assertion failure below with Bro 2.4.1? This is happening with live traffic at least a couple times a day since upgrading from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float it here first. listening on zc:99@1, capture length 8192 bytes 1459786307.312525 processing suspended 1459786307.312525 processing continued 1459802619.911190 Failed to open GeoIP City database: /usr/share/GeoIP/GeoIPCity.dat 1459802619.911190 Fell back to GeoIP Country database 1459802619.911190 Failed to open GeoIP Cityv6 database: /usr/share/GeoIP/GeoIPCityv6.dat bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal* Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0' failed. /opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted (core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@" Regards, Michael

4 years, 5 months

[Bro] Question about network cards

by Giesige, Rich

Hello, I’m wondering what people are using for network cards in their bro clusters that are not using the Myricom Network Cards. We don’t have a $1,000 dollars per a card + license to spend on the cards. Is anyone using Intel or other brands that aren’t as expensive to capture their traffic? We are looking at doing all 10 Gig connections into the Bro Cluster. Thanks for all your answers. -- Richard Giesige IT Security Analyst Office of Information Security Oregon State University "OSU staff will NEVER ask for you password. Never email or share your password with anyone."

4 years, 7 months

[Bro] Brownian and Ubuntu 16.04

by Hamid Reza Ghaeini

Hi. I configured the Brownian based on your instructions and the following link: http://www.hyperionavenue.com/?p=692 My configurations are: Elasticsearch 2.3.3 Bro 2.4.1 Ubuntu 16.04 LTS I followed the procedure and it works on Ubuntu 14.04. I wondering why it is not working in the new version of Ubuntu. I did this for testing the elasticsearch. curl 'localhost:9200/_cat/indices?v' | grep bro % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 270 100 270 0 0 4302 0 --:--:-- --:--:-- --:--:-- 4354 yellow open @bro-meta 5 1 1 11 4.8kb 4.8kb yellow open bro-201605312100 5 1 0 0 795b 795b But it looks that elasticsearch is working fine. But the brownian show this error: Error! Could not connect to server - please check ELASTICSEARCH_SERVER in settings.py Could you please help me to solve this problem? Thanks.

4 years, 7 months

[Bro] Bro Roadmap and Linux Distro Compatibility

by Gary Faulkner

I'm about to build a couple more worker nodes and it got me wondering whether I should migrate to a newer Linux distro. My current cluster is running on RHEL 6.x, but over the past couple years I've noticed changes to Bro that temporarily required installing newer versions of CMake than RHEL 6.x originally supported. RHEL 6.x eventually broke the mold of not breaking binary compatibility around RHEL 6.6 and moved to a newer CMake which made the RHEL packaged CMake Bro compatible once again. As such I'm wondering if there is anything in the pipeline that would break compatibility a properly updated RHEL 6.x/Centos6.x. I'd rather not maintain separate versions of libraries to build Bro if possible. We're technically a RHEL shop, so I'd probably be looking at RHEL7.x, but I could look at another distro that is more aggressive with running newer kernels and software libraries if necessary. Thoughts? ~Gary

4 years, 7 months

[Bro] Reminder: Upgrade your Bro installation! Stability updates in 2.4.1

by Doris Schioberg

Bro 2.5 is not far away, but in the meantime you should upgrade to Bro 2.4.1. This is the latest stable release. If you are running 2.4 the upgrade to 2.4.1 won't break your config. This release contains important fixes without changing Bro's functionality. Check the change log here: https://www.bro.org/download/CHANGES.bro.txt. - the Bro team -- Doris Schioberg Bro Outreach, Training, and Education Coordinator International Computer Science Institute (ICSI Berkeley) Phone: +1 (510) 289-8406 * doris(a)bro.org

4 years, 7 months

[Bro] Adding MAC Address Information to Connection Object and Logs

by William Baker

Hello, I have a fairly simple use case. I have a database of devices, which contains a device name, manufacturer, IP addresses, and MAC address. I want to be able to take a device from that database, retrieve the MAC address, and use that to query data that has been generated by BRO. I have successfully gotten MAC address information into the conn.log by using the roam.bro script linked from another message in this chain and extending the conn.log functionality. But, this is getting the MAC address from the DHCP table. I was hoping to get the MAC address directly from the PCAP file from which the connection object is being generated (at least that is my assumption). My first thoughts were that the connection object that is being passed into many of these methods would get its information from the PCAP file and I could expand that functionality, but this has been a dead end for me. Does anyone have advice for getting MAC address from a PCAP file that was used to generate different logs in BRO? Thanks! William Baker | Software Developer Tietronix Software Inc. | 1331 Gemini Ave. STE 300 | Houston, TX 77058 +1 (281) 404-7253 | wbaker(a)tietronix.com<mailto:victor.tang@tietronix.com> | www.tietronix.com<http://www.tietronix.com/>

4 years, 7 months

[Bro] ERROR ! I keep getting a message saying "cant find weird"

by Sherine Davis (Security Engineering)

I am sorry for the disturbance. This must be a noob question :P And I am new to this, so please help me out My BRO script starts is as follows : @load weird @load alarm @load tcp event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, payload: string) { print fmt("IP : %s WITH PORT NO.: %s IS TRYING TO ACCESS TCP PACKETS", c$id$orig_h, c$id$orig_p); } error : cant find weird Even if i remove the first line the same error keeps popping up for alarm and tcp It has to be something about the path from which the scripts are being loaded But wasn't able to get a solution Please do help Thank You

4 years, 7 months

[Bro] My first Bro Scripts

by Josh Guild

Hi everyone, I wrote a few Bro scripts to cut my teeth on the language if you all would like to check them out: https://github.com/joshuaguild/bro_scripts Network Visibility will allow you to confirm that the traffic that should be flowing to your sensor actually is. You can populate what subnets you should be seeing and it will dump a log to confirm if it sees a host in that subnet. RDP Layout just checks the keyboard_layout field in the rdp.log against a whitelist (or you can make it a black list by changing the !in to in). Good for monitoring for lateral movement or connections to your DMZ. Comments/criticism are welcome! (I'm a network guy, not a programmer so...) -- Josh Guild Network Intelligence Analyst <https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>

4 years, 7 months

[Bro] Best way to configure BRO IDS 2.4.1 to capture from a Quad port Network card

by Ludwig Goon

Hi were are using Dell R230's with an additional quad port card for network captures, streaming in traffic from our NetOptics Taps. On bro 2.4.1 what is the best way to configure it to listed on all 4 interfaces? Would we set that up in node.cfg and create 4 worker processes so that we can use broctl? Or can we specify it in BRO_CAPTURE_INTERFACE=" eth2 eth3 eth4 eth5". Or is there a command line bro with options? Is PF_RING needed?

4 years, 7 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2016