zeek October 2017

zeek@lists.zeek.org

39 participants
47 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

4 months, 4 weeks

[Bro] Looking up fa_file given FUID

by Lamps, Jereme

Hello, I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything. Best, Jereme Lamps

4 years, 5 months

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

4 years, 5 months

[Bro] Bro 2.5.2 & 2.4.2 release (security update)

by Johanna Amann

We announce the release of Bro v2.5.2. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.2.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This is a security release that fixes an out-of-bound write in the ContentLine analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. This bug was found by Frank Meier. A CVE has been requested for this bug. Bro 2.5.2 does not contain any other changes. We urge everyone to update their installation as quickly as possible. Due to the potential severity of this bug we also provide a patched version of Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note that we encourage users to use version 2.5.2 instead; we do generally not provide security updates for old releases; version 2.4.2 is missing a number of other bugfixes that were applied to v2.5.2. Version 2.4.2 is available for download at: https://www.bro.org/downloads/bro-2.4.2.tar.gz Johanna

4 years, 5 months

[Bro] Scanned Unique Host

by Hector Pena

Hi, Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine. Thanks,

4 years, 5 months

[Bro] Mininet

by Sniper

Hello, Just wondering if anyone has tryed to use Bro on an openflow-based network using mininet? Kind regards Daniel --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

4 years, 5 months

[Bro] Payload

by Rober Fernández

Hi, How can I get the payload of each connection and print each payload in a different file? Regards

4 years, 5 months

[Bro] SMB copied files not showing in files.log

by Vikram Basu

Hi, So I am using the SMB plugin for Bro by loading in local.bro but it seems to be very inconsistent. Often times when I am copying files between two windows machines over the domain there is no corresponding file in the files.log. The smb_files.log itself seems to filled up with a lot of .ini files as well and they all seem to have the “SMB::FILE_OPEN” action even when I haven’t opened any of them. I thought I would use files showing source as SMB in files.log to differentiate when files are actually copied over the network but often times Bro does not detect the same. Is there any particular way I need to share the files in windows to get the copied files to show up consistently in bro? Regards Vikram Basu

4 years, 7 months

[Bro] - large double are not printed/written correctly

by william de ping

Hi, I have this simple script : event bro_init() { local a=-3.019159e-8; print "a",a; local s=fmt("%e",a); print "s",s; } results : a, -0 s, -3.019159e-08 the printing of variable a is important because its -0 once written in a log file. is there anyway of printing\writing large doubles ? Thanks B

4 years, 7 months

[Bro] - input table of regex patterns OR convert string to regex pattern

by william de ping

Hi all, I am trying to read a csv file that has regex patterns in it. it seems that bro does not like reading a column into a regex type. anyway to accomplish that ? is there any function that converts string to regex ? Thanks a lot, B

4 years, 7 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek October 2017