zeek July 2016

zeek@lists.zeek.org

59 participants
50 discussions

[Bro] BroCon ’16: Early bird registration expires Monday

by Dopheide, Jeannette M

Bro Community, A friendly reminder that BroCon’s early bird registration expires on Monday August 1st. Save yourself $50 and register now! https://www.bro.org/community/brocon2016.html#registration See you in September, The Bro Team ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

5 years, 4 months

[Bro] ftp.log file isn't logging ftp related requests.

by Aneela Safdar

Hi, I have bro and proftpd server installed on linux. I tried to connect with this server through a intentionally brute force attack with random usernames and passwords thinking ftp.log will record these attempts but it didn't. Instead ftp.log I am getting these requests logged in weird.log file. I did same with ssh service but i logged all requests and related information in ssh.log file.How come I can make ftp.log file to log all ftp related information which I genuinely think should be a default setting. Isn't so? Regards, Aneela Safdar

5 years, 4 months

[Bro] Inconsistent results

by Ben Mixon-Baca

Is there any reason to expect Bro to give inconsistent output when running a script on trace files? I have a script that uses SumStats to fire off an observation in the tcp_packet event to save the payload for later analysis. I seem to be running into an issue where I count a smaller number of observed tcp_packet events than I should actually be seeing. -- Ben

5 years, 4 months

[Bro] Configuration of timing when to move log file from current folder

by Aneela Safdar

Hi, I need to know where I can specified the time interval to move log files of bro from current folder to the respected day date named folder? Can I change it? Regards, Aneela Safdar

5 years, 4 months

[Bro] Network taps necessary for Bro

by Daniel Manzo

Hi all, My team is looking into using the Bro IDS for monitoring of a science DMZ with a 100 Gbps network. I was wondering how to choose which network tap(s) is necessary for this type of connection and if you have any recommendations/methods for setting up the hardware for Bro. I have been looking at the passive Ixia Flex taps, but after reading the paper on bro.org about the 100G connection in Berkeley Labs, I'm not so sure this is the right direction. Thanks for the help, Daniel Manzo

5 years, 4 months

[Bro] Broala job openings

by Seth Hall

Hi all! I'm posting from my Broala address this time because I wanted to let everyone know that we have a couple of job openings at Broala. If anyone is interested in working with us as we develop the BroBox platform, please reach out, we'd love to hear from you! Here are the links to the job postings: https://www.broala.com/platform-engineer.html https://www.broala.com/platform-quality-engineer.html Thanks, .Seth -- Seth Hall * Broala * seth(a)broala.com * www.broala.com

5 years, 4 months

[Bro] SYN/ACK Attack

by Tim Desrochers

Bro Community I have been seeing A LOT of SYN/ACK attacks lately on my net and it seems that every time Bro is switching the orig and resp IP's. Luckily the history column has helped me determine which IP is the true src. Also, I have SiLK running on my bro sensors and the netflow traffic I get from SiLK is identifying the true src and resp IP addresses but Bro seems to switch the IP addresses. Is this because Bro thinks it missed the SYN packet so it switches the IP's? Should it be doing this?

5 years, 4 months

[Bro] Weird behavior

by Ben Mixon-Baca

Hi, I have been trying to find trace a bug in my code. I put print statements in several events including connection_SYN_packet. I am seeing this event getting fired off twice for every SYN packet seen on the wire. When I inspect the pcap with wireshark however, I have only found a single SYN packet. So I am wondering if there is something special happening in the event engine when using low level functions like connect_SYN_packet, that might cause this behavior. -- Ben

5 years, 4 months

[Bro] Assertion failure, Tag.cc

by Michael Fry

Hi All, Has anyone encountered the assertion failure below with Bro 2.4.1? This is happening with live traffic at least a couple times a day since upgrading from Bro 2.3.2. I didn't see anything the bug tracker, so thought I'd float it here first. listening on zc:99@1, capture length 8192 bytes 1459786307.312525 processing suspended 1459786307.312525 processing continued 1459802619.911190 Failed to open GeoIP City database: /usr/share/GeoIP/GeoIPCity.dat 1459802619.911190 Fell back to GeoIP Country database 1459802619.911190 Failed to open GeoIP Cityv6 database: /usr/share/GeoIP/GeoIPCityv6.dat bro: /home/mfry/dev/bro24/bro-2.4.1/src/Tag.cc:72: EnumVal* Tag::AsEnumVal(EnumType*) const: Assertion `type == 0 && subtype == 0' failed. /opt/bro/share/broctl/scripts/run-bro: line 100: 11312 Aborted (core dumped) nohup ${pin_command} $pin_cpu "$mybro" "$@" Regards, Michael

5 years, 4 months

[Bro] Issues with data structures

by Ben Mixon-Baca

Hi, I am trying to build a 2D histogram based byte values in a tcp payload. I look at each byte independently. So I get 2^8 possible byte values which I use as a row index. the first 256 or so bytes of the payload as passed from the tcp_packet function are where I get this, and the specific byte position in the payload is suppose to give me the column index. I initially was trying the following using the with and without the SumStats framwork. The code below is with SumStats: module BytePatterns; export { global other_counts: vector of table[string] of count; } <Stuff> $epoch_result(ts: time, key: SumStats::Key, result: SumStats::Result) = { local tmp: table[string] of count; if ("prefix" in result) { local i = 0; local payload = SumStats::key2str(key); for (bytei in payload) { bytei = string_to_ascii_hex(bytei); if (i !in BytePatterns::other_counts) { BytePatterns::other_counts[i] = tmp; } if (bytei !in BytePatterns::other_counts[i]) { BytePatterns::other_counts[i][bytei] = 0; } BytePatterns::other_counts[i][bytei] += 1; i += 1; } } <Stuff> event tcp_packet(c: connection , is_orig: bool , flags: string , seq: count , ack: count , len: count , payload: string ) { if (is_orig) { if (c$seen_syn == T) { c$acks += 1; if (c$acks == 2 && len > 0) { print fmt("%s", BytePatterns::eseen); SumStats::observe("prefix",[$str=payload], [$str=payload]); } } } } Based on other state, this event should only be getting 3 payloads with a trace file I made for testing. The column sum should therefore be 3 for all columns, however, when I run this code, I am getting significantly larger counts. I am wondering if the way I am adding tables to the other_counts, data structure is somehow causing this behavior. Or possibly something with the way I am using SumStats and it is not doing what I think it is. Thank you in advance. -- Ben

5 years, 4 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2016