zeek October 2017

zeek@lists.zeek.org

39 participants
46 discussions

by Lamps, Jereme

Hello, I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything. Best, Jereme Lamps

3 years, 3 months

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

3 years, 3 months

[Bro] Bro 2.5.2 & 2.4.2 release (security update)

by Johanna Amann

We announce the release of Bro v2.5.2. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.2.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This is a security release that fixes an out-of-bound write in the ContentLine analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. This bug was found by Frank Meier. A CVE has been requested for this bug. Bro 2.5.2 does not contain any other changes. We urge everyone to update their installation as quickly as possible. Due to the potential severity of this bug we also provide a patched version of Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note that we encourage users to use version 2.5.2 instead; we do generally not provide security updates for old releases; version 2.4.2 is missing a number of other bugfixes that were applied to v2.5.2. Version 2.4.2 is available for download at: https://www.bro.org/downloads/bro-2.4.2.tar.gz Johanna

3 years, 3 months

[Bro] Scanned Unique Host

by Hector Pena

Hi, Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine. Thanks,

3 years, 3 months

[Bro] Mininet

by Sniper

Hello, Just wondering if anyone has tryed to use Bro on an openflow-based network using mininet? Kind regards Daniel --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

3 years, 3 months

[Bro] Payload

by Rober Fernández

Hi, How can I get the payload of each connection and print each payload in a different file? Regards

3 years, 3 months

[Bro] SMB copied files not showing in files.log

by Vikram Basu

Hi, So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent. Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log. The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them. I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same. Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro? Regards Vikram Basu

3 years, 5 months

[Bro] - large double are not printed/written correctly

by william de ping

Hi, I have this simple script : event bro_init() { local a=-3.019159e-8; print "a",a; local s=fmt("%e",a); print "s",s; } results : a, -0 s, -3.019159e-08 the printing of variable a is important because its -0 once written in a log file. is there anyway of printing\writing large doubles ? Thanks B

3 years, 5 months

[Bro] - input table of regex patterns OR convert string to regex pattern

by william de ping

Hi all, I am trying to read a csv file that has regex patterns in it. it seems that bro does not like reading a column into a regex type. anyway to accomplish that ? is there any function that converts string to regex ? Thanks a lot, B

3 years, 5 months

[Bro] &expire_func functionality/verification with pcap

by Lamps, Jereme

Building a little off my previous question, I have a structure my_table defined: global my_table: table[string] of vector of HTTP::Info &write_expire = 30secs &expire_func=process; and my_table will get written to in the connection_state_remove event, which should then call the expire_func 30s later. I have tried triggering the functionality two ways: * Having Bro read in a 1GB test.pcap, waiting for minutes (with exit_only_after_terminate=T), then CTRL-C to exit * Having Bro listen on a dummy interface and tcpthrow the test.pcap against it, waiting for minutes then CTRL-C to exit It seems to work for a subset of the connections but not all of them. My hunch is that Bro’s connection state table has no strict time-based removal process, so the connection_state_remove event will not be triggered unless I throw more data at it. My second thought is that it does get triggered at the end for the CTRL-C, but then shuts down before the expire_func fires 30secs later. If my hunches correct please let me know, as then it should theoretically work with Bro on the wire as new data comes in. But for testing purposes, is there any way to either force flushes of the connection table or ensure that Bro waits long enough after the CTRL-C to handle the expire_func? Best, Jereme Lamps

3 years, 5 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek October 2017