zeek June 2016

zeek@lists.zeek.org

49 participants
41 discussions

by Shawn Homan

I was wondering if anyone can tell me why the sha256 hash functionality isn't turned on by default for the files log. I am working on something and needed to turn it on. I normally only use Bro to process pcap files offline and have never used it on a live network. Does it cause performance issues? Thanks, Shawn

5 years, 5 months

[Bro] Assertion failure, Tag.cc

by Michael Fry

Hi All, Has anyone encountered the assertion failure below with Bro 2.4.1? This is happening with live traffic at least a couple times a day since upgrading from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float it here first. listening on zc:99@1, capture length 8192 bytes 1459786307.312525 processing suspended 1459786307.312525 processing continued 1459802619.911190 Failed to open GeoIP City database: /usr/share/GeoIP/GeoIPCity.dat 1459802619.911190 Fell back to GeoIP Country database 1459802619.911190 Failed to open GeoIP Cityv6 database: /usr/share/GeoIP/GeoIPCityv6.dat bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal* Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0' failed. /opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted (core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@" Regards, Michael

5 years, 11 months

[Bro] PF_RING ZC Config

by Dave Crawford

Would anyone happen to have documentation for configuring ZC and Bro? I have NTop's PF_RING and ixgbe driver packages installed, the proper license in /etc/pf_ring, and have compiled Bro with the NTop libraries but I'm seeing the kernel error below along with a ton of “split routing” messages in weird.conf, so I suspect the flows aren’t being load balanced correctly. Jun 22 15:10:03 win-csignsm-01 kernel: [11060.244524] [PF_RING] Unable to activate two or more ZC sockets on the same interface eth6/link direction The monitored NIC is an Intel X520-LR1. Contents of /etc/pf_ring/zc/ixgbe/ixgbe.conf: RSS=10 allow_unsupported_sfp=0 Contents of /etc/pf_ring/hugepages.conf node=1 hugepages=1024 And Bro is configured as: [MID_INT] type=worker host=10.20.30.123 interface=zc:eth6 lb_method=pf_ring lb_procs=10 pin_cpus=10,11,12,13,14,15,16,17,18,19 Thanks! -Dave

5 years, 11 months

[Bro] number of connections to the same port in 100 connections

by Salman, Tara

Hi everyone, I am trying to find the number of connections having the same source ip and destination port in the last 100 connection using bro commands I managed to get the number in all connections using: bro-cut id.orig_h id.orgi_p < conn.log | sort| uniq -c| sort -rn which is working fine but i need to modify this to include only the last 100 connections in the log file. is there a way to do that ? thanks in advance

5 years, 12 months

[Bro] IP <-> MAC Address

by Maxime Lambert

Hi everyone, Is there a way to obtain the source and/or destination mac address from a connection record ? I've been looking through the scripts roam.bro, known-devices.bro and known-devices-and-hostnames.bro, but I'am not sure how it works. I'm wondering it I missed something. I've this 2 files : cat /opt/bro/logs/current/ known_devices.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path known_devices #open 2016-06-30-09-08-33 #fields ts mac dhcp_host_name #types time string string 1467260412.707446 00:11:22:33:44:55 android-684541321657432 1467260416.339490 00:11:22:33:44:66 android-213857946354179 1467260447.207524 00:11:22:33:44:77 iPhone-XXXX 1467261341.099450 00:11:22:33:44:88 iPhone -YYYY 1467271833.863474 00:11:22:33:44:99 iPhone -ZZZZ 1467272311.523445 00:11:22:33:44:00 bitcoin-computer 1467272443.463545 00:11:22:33:44:11 iPhone-UUUU 1467272517.623516 00:11:22:33:44:22 iPhone-TTTT 1467272692.387523 00:11:22:33:44:33 iPhone-VVVV 1467273783.775451 00:11:22:33:44:44 SDM-00239 1467273899.667460 00:11:22:33:33:55 iPhone-AAAA AND cat /opt/bro/logs/current/ dhcp.log #separator \x09 #set_separator , #empty_field (empty) #unset_field - #path dhcp #open 2016-06-30-09-51-23 #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p mac assigned_ip lease_time trans_id #types time string addr port addr port string addr interval count 1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799 1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799 1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799 1467264083.815462 C4jfqvVzuapDS69dz 255.255.255.255 68 192.X.X.X 67 XX:XX:XX:XX:XX:XX 192.X.X.X 86400.000000 146703799 So what I want is a fusion between dhcp.log and know-devices.log to know to each devices their IP and MAC address. I think bro must monitor ARP Request/Response to an output log file like this : ts string (Mac Addr) string (hostname) string (IP Addr) 1467260401.707446 XX:XX:XX:XX:XX:XX Android-XXXXXXXXXXX X.X.X.X Or maybe anyone has another solution ? Thank you for your help. Maxime Lambert

5 years, 12 months

[Bro] Security Officer opening at LIGO

by Slagell, Adam J

The NSF-funded LIGO project, responsible for the recent breakthrough discovery of gravitational waves that validate Einstein's theory, has posted an opening for a Cybersecurity Officer. This represents an opportunity to undertake cybersecurity in the support of scientific research with one of NSF's largest projects. CTSC and NCSA are working with LIGO to help advertise the position. Please see the LIGO posting for more information and details on how to apply: https://jobs.caltech.edu/postings/4919 ------ Adam J. Slagell Chief Information Security Officer Director, Cybersecurity Division National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

5 years, 12 months

[Bro] CENIC seeking senior security person

by Gregory Bell

CENIC (one of the largest and most important public networks in the work) is recruiting an experienced security engineer - with Bro skills - to lead a new security group: http://cenic.org/about/career-detail/SeniorInformationSecurityAnalyst_Engin… Please forward to anyone you think might be interested. The initial job location is LA, but moving to the CENIC office in Berkeley might be possible in time. I'm on the CENIC board, and it's a great organization. Louis Fox (the CEO) is a very gifted leader. This network serves 20 million people, and interconnects most universities, colleges, K-12s, and libraries in California. - Greg -- Gregory Bell, PhD CEO - Broala www.broala.com

5 years, 12 months

Re: [Bro] delay pcap processing

by anthony kasza

Call suspend_processing() from scriptland until your table is ready. Here's an example: https://github.com/anthonykasza/scratch_pad/tree/master/input_for_pcaps -AK On Jun 28, 2016 7:40 PM, "Dk Jack" <dnj0496(a)gmail.com> wrote: Hi, I am trying to run in batch mode i.e. using '-r' option. In my script, I am trying read some data into bro from text file. As per the input framework documentation, reading data from file is an asynchronous event, my packet processing is completing before I receive the Input::end_of_data event. Is there a way to delay packet processing till file read is complete? Thanks, Dk _______________________________________________ Bro mailing list bro(a)bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

5 years, 12 months

[Bro] delay pcap processing

by Dk Jack

Hi, I am trying to run in batch mode i.e. using '-r' option. In my script, I am trying read some data into bro from text file. As per the input framework documentation, reading data from file is an asynchronous event, my packet processing is completing before I receive the Input::end_of_data event. Is there a way to delay packet processing till file read is complete? Thanks, Dk

5 years, 12 months

[Bro] Bro drop packets while not using CPU at full capacity

by Hashem Alaidaros

Hi All I use Bro for my PhD research, I add scripts in Bro and then see the CPU and packet drop rate, using @load stats.bro. I'm using Bro 2.3 with standard libcap. I use tcpreplay from Machine A to replay the pre-captured traffic into Bro multi-core machine B through port mirror switch. I replay the traffic from 100 to 1000 Mbps , When reach 200 Mbps and onward, packet start drop and increases. Surprisingly, the CPU is not fully utilized, CPU still 40% usage. What we know is that drop packet resulted from CPU full load, but in our case CPU still less than 50%, so My question, what is the cause of this packet drop? Is it normal? Best regards Aidaros

6 years

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2016