zeek July 2016

zeek@lists.zeek.org

59 participants
50 discussions

[Bro] originator/responder possibly swapped

by Tim Desrochers

Is it possible for bro to swap the originator and responder IP addresses in its logs. Below you will see the only conn.log I have for a IP address. The originator is the external host and responder is the internal IP of my org. Then every other log I have ssh and notice where this IP shows up the originator is my internal host and the responder is the external IP. conn.15: 00: 00-16: 00: 00.log.gz: { "ts": 1469114110842, "uid": "ClvNzi2EnWQnmykMZ7", "id.orig_h": "EXTERNAL IP", "id.orig_p": 15000, "id.resp_h": "INTERNAL HOST", "id.resp_p": 1043, "proto": "tcp", "duration": 0.658319, "orig_bytes": 416, "resp_bytes": 976, "conn_state": "SF", "local_orig": false, "local_resp": true, "missed_bytes": 0, "history": "DadAfF", "orig_pkts": 12, "orig_ip_bytes": 1040, "resp_pkts": 10, "resp_ip_bytes": 1496, "tunnel_parents": [], "orig_cc": "US", "sensorname": "SENSOR-1" }notice.15: 00: 00-16: 00: 00.log.gz: { "ts": 1469113976350, "uid": "CseS0Q2AQ0biwoE97g", "id.orig_h": "INTERNAL HOST", "id.orig_p": 1024, "id.resp_h": "EXTERNAL IP", "id.resp_p": 15000, "proto": "tcp", "note": "SSH::Interesting_Hostname_Login", "msg": "Possible SSH login involving a remote server with an interesting hostname.", "sub": "EXTERNAL DOMAIL", "src": "10.21.4.124", "dst": "EXTERNAL IP", "p": 15000, "peer_descr": "SENSOR-1", "actions": ["Notice::ACTION_EMAIL", "Notice::ACTION_LOG"], "suppress_for": 3600.0, "dropped": false }ssh.15: 00: 00-16: 00: 00.log.gz: { "ts": 1469116787409, "uid": "CWQdeiL75K07BRtb4", "id.orig_h": "INTERNAL HOST", "id.orig_p": 1427, "id.resp_h": "EXTERNAL IP", "id.resp_p": 15000, "version": 2, "auth_success": true, "direction": "OUTBOUND", "client": "SSH-2.0-OpenSSH_3.1p1", "server": "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2", "cipher_alg": "aes128-cbc", "mac_alg": "hmac-md5", "compression_alg": "none", "kex_alg": "diffie-hellman-group-exchange-sha1", "host_key_alg": "ssh-rsa", "host_key": "REMOVED", "remote_location.country_code": "US" } Thoughts as to why? Also, I know I saw this come up before but it has been burried, does auth_success:true indicate that ssh authentication was successful

5 years, 10 months

[Bro] BroCon ’16: Agenda is now available

by Dopheide, Jeannette M

Hello Bro Community, We have posted the BroCon agenda to our site: https://www.bro.org/community/brocon2016.html#agenda Note this year we extended the lunch and break sessions to allow for more mingling. We have a few more pending presentations to announce, check back periodically for updates. Don’t forget to register and book your hotel. See you in September, The Bro Team ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

5 years, 10 months

[Bro] Insider Abuse Use Case

by Wulfy H

Hello all, On slide 11 of this presentation: https://www.bro.org/bro-workshop-2011/slides/network-forensics.pdf There is a Use Case for Insider Abuse, I am interested in this and am a beginner to Bro IDS scripting. Is there any existing script dealing with some form of Insider Abuse that I can use as an example? Thanks, W.

5 years, 10 months

[Bro] syntax highlighting for bro

by Wulfy H

I've been trying to set up Bro syntax highlighting for Sublime text 2 using Liam Randall's guide: http://liamrandall.com/syntax-highlighting-for-bro-network-programming-lang… But I'm running in to trouble on the last step and can't seem to find the Windows 10 equivalent of the config directory that I'm supposed to put the bro.tmbundle. I see a folder called "Pristine Packages" the C directory folder for sublime but I don't believe this is it.

5 years, 10 months

[Bro] Telnet analyzer

by Cristian Daniel Barbaro

Hello, people. I'm trying detect when someone connects to Telnet and login is sucessful. But Bro never detects this event, only login_confused or login_confused_text events was detected. Any idea? Thanks. Regards... -- Cristian Daniel Barbaro CERTUNLP --

5 years, 10 months

[Bro] Help with missed_bytes affecting hash creations in files.log

by Stephen Castellarin

Hi, I have Bro 2.4.1 running on an older system (2 Intel X5550 processors giving 8 CPUs), 48Gb memory running 64 bit Ubuntu (14.04.4) server, using PF_Ring with an Intel 82571EB Ethernet card (1gb copper). This system is sitting on a network tap that is just seeing SMTP traffic between our outer mail gateway and our inside mail infrastructure. My Bro configuration is relatively simple, with a nodes.cfg being: [manager] type=manager host=localhost # [proxy-1] type=proxy host=localhost # [worker-1] type=worker host=localhost interface=eth5 lb_method=pf_ring lb_procs=8 When I look at the files.log file I see instances of files that have missing_bytes, which causes the hashes to not be calculated. Running an IFCONFIG I don't see any drops, errors, etc. Same with running broctl netstats, no drops. SAR reports on that system show the CPUs running at 73% IDLE. Is there something I'm missing in tuning or tweaking our configuration? Can I get to a point where I have zero files with no missed_bytes, or will there always be something or things with missed_bytes. A hardware upgrade can be in our future, but I'm trying to prove this concept by using this setup to help get funding for upgrading. Thanks all,Steve

5 years, 10 months

[Bro] Bro and PF_Ring

by Obndnar smith

I've followed the steps to get Bro to use pf_ring and it even shows that it's using the pf_ring/lib, but as soon as I install from my manager it reverts back to libpcap. Any ideas?

5 years, 10 months

[Bro] BroCon ’16: Don't forget to book your hotel

by Dopheide, Jeannette M

Bro Community, Are you planning to attend BroCon this year? If so, don't forget to book your hotel: https://www.bro.org/community/brocon2016.html#hotelinformation We reserved a block of rooms less than a half a mile away from the conference site at the Lone Star Court. One thing that might not be clear from the website is they do not charge your card to book the reservation, in case that detail is causing you to delay booking your stay. Our hold on the rooms expires August 22nd. See you in August, The Bro Team

5 years, 10 months

[Bro] [bro] intel framework

by Tim Desrochers

Is there a way to use the intel framework to alert on something like this /templates/nivoslider/loading.php I don't care about the domain I just care about the URI. The adversary keeps using DGA domains but the rest stays the same. I read the intel framework section online and I don't see anything that appears it would match this type of intel. Thanks Tim

5 years, 10 months

Re: [Bro] Bro Digest, Vol 123, Issue 24

by fatema bannatwala

Well regarding Splunk add-on for BRO-IDS, I asked following question on Splunkbase and still waiting for an answer so thought might be worth sharing it here as well: Starting with the environment, I have an indexer cluster of 3 indexers, two independent search heads, and one Universal forwarder. My question is where the BRO IDS app goes and how it works? What I have done is - I have installed the app on both of my search heads (as per general convention while dealing with apps), and my Universal Forwarder is monitoring the Bro log directory (yes I have installed UF on my Bro sensor machine). I am getting the monitored Bro logs in my indexers and am able to search them via search heads, but the app is just sitting there doing nothing it seems. The documentation I have read so far says that you need to install app on the heavy forwarder that is monitoring your log dir and have to set the inputs path in the app instead of heavy forwarder's input. (So I think it's stupid for the people who just want to have a forwarder installed on their bro sensor for just forwarding bro logs and for that we need to install heavy forwarder with the app, and that too app will be doing all the forwarding and parsing and heavy forwarder will be just sitting there providing Python support to the app to do its stuff). So my question is: is my above configuration even workable with Bro IDS add-on or do I have to just chuck the idea of using the add-on because I don't want to run a heavy forwarder on my Bro machines? Thanks, Fatema. On Fri, Jul 15, 2016 at 5:55 AM, <bro-request(a)bro.org> wrote: > Send Bro mailing list submissions to > bro(a)bro.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > or, via email, send a message with subject or body 'help' to > bro-request(a)bro.org > > You can reach the person managing the list at > bro-owner(a)bro.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Bro digest..." > > > Today's Topics: > > 1. Re: problem ingesting bro json logs into splunk (Steve Brant) > 2. Re: PF_RING ZC Config (Alfredo Cardigliano) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 14 Jul 2016 17:07:41 -0600 > From: Steve Brant <steve(a)brant.nu> > Subject: Re: [Bro] problem ingesting bro json logs into splunk > To: Brandon Lattin <lattin(a)umn.edu> > Cc: philosnef <philosnef(a)yahoo.com>, "bro(a)bro.org" <bro(a)bro.org> > Message-ID: > <CAA= > spH96fjZWyMduzDmmT+HCgUufdY2aNaOkf00zD07ZmnmONg(a)mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > I've attached a modified version of the Splunk TA for bro, that > accommodates bro logs in json format. Let me know if you have any problem > with it. > > Thanks, > Steve > > ~/SB > > On Thu, Jul 14, 2016 at 8:14 AM, Brandon Lattin <lattin(a)umn.edu> wrote: > > > Do you have the Splunk installed? ( > https://splunkbase.splunk.com/app/1617/ > > ) > > > > The TA will dynamically create sourcetypes based on the log name. > > > > # Dynamic source typing based on log filename > > # Match: conn.log, bro.conn.log, > > # md5.bro.conn.log, whatever.conn.log > > [BroAutoType] > > DEST_KEY = MetaData:Sourcetype > > SOURCE_KEY = MetaData:Source > > REGEX = ([a-zA-Z0-9-]+)(?:\.[0-9-]*)?(?:\.[0-9\:-]*)?\.log > > FORMAT = sourcetype::bro_$1 > > WRITE_META = true > > > > > > On Thu, Jul 14, 2016 at 8:33 AM, philosnef <philosnef(a)yahoo.com> wrote: > > > >> We are getting a spurious sourcetype when ingesting bro json logs into > >> splunk. > >> > >> Specifically, we are getting a sourcetype of bro_00. There is no log > file > >> named this, and the splunkforwarder is just pushing the raw logs for > >> indexing into splunk. There is no massaging of the log data. Anyone know > >> why this sourcetype is popping up? > >> > >> _______________________________________________ > >> Bro mailing list > >> bro(a)bro-ids.org > >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > >> > > > > > > > > -- > > Brandon Lattin > > Security Analyst > > University of Minnesota - University Information Security > > Office: 612-626-6672 > > > > _______________________________________________ > > Bro mailing list > > bro(a)bro-ids.org > > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro > > >

5 years, 10 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2016