zeek November 2017

zeek@lists.zeek.org

34 participants
36 discussions

by Lamps, Jereme

Hello, I was just wondering if it was possible to lookup fa_file or Files::Info records given a FUID. I have been looking through the built in functions but have not seen anything. Best, Jereme Lamps

3 years, 3 months

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

3 years, 3 months

[Bro] Bro 2.5.2 & 2.4.2 release (security update)

by Johanna Amann

We announce the release of Bro v2.5.2. The new version is now available for download at: https://bro.org/download/index.html or directly at: https://www.bro.org/downloads/bro-2.5.2.tar.gz Binary packages for the new version are currently building and will be available in the next hours at: https://bro.org/download/packages.html This is a security release that fixes an out-of-bound write in the ContentLine analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS attack). There also is a possibility this can be exploited in other ways. This bug was found by Frank Meier. A CVE has been requested for this bug. Bro 2.5.2 does not contain any other changes. We urge everyone to update their installation as quickly as possible. Due to the potential severity of this bug we also provide a patched version of Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note that we encourage users to use version 2.5.2 instead; we do generally not provide security updates for old releases; version 2.4.2 is missing a number of other bugfixes that were applied to v2.5.2. Version 2.4.2 is available for download at: https://www.bro.org/downloads/bro-2.4.2.tar.gz Johanna

3 years, 3 months

[Bro] Multi tap architecture

by bro-ml＠razaborg.fr

Hi everyone, I'm looking to build a Bro architecture with several Tap components (I mean the tcpdump stuff), all separated from the core. I've seen the "cluster" architecture (https://www.bro.org/sphinx/cluster/index.html), but as I said I want to split out the capture work, not the protocol analysis stuff. My situation is the following : I have several "boxes" (with not enough power to do the protocol analysis work, that's the point) in different networks, all connected to one single "core" component. I would like to deploy network capture (Tap) instances on all those boxes, and let the core component do all the hard stuff (I can potentially install a front-end on this core component to set up many "workers" behind it). Is there any way to do this ? Any documentation ? Does anyone have any clue about how to set it up that way ? Thanks a lot, Pierre

3 years, 3 months

[Bro] Scanned Unique Host

by Hector Pena

Hi, Is there a way to view which host were scanned when receiving a notice for the scan.bro script? We have been receiving a lot of notices lately for “x.x.x.x scanned at least X unique hosts on port X in Xtime”. I cannot seem to find a good way to determine which host were scanned by the host machine. Thanks,

3 years, 3 months

[Bro] integrate FPGA\PF_RING supported NIC with Bro - offload

by william de ping

Hi all, I wonder if anyone had a chance of somehow incorporate a FPGA NIC \ Smart NIC \ Napatech \ PF_RING with Bro ? I would like to scale my Bro cluster and process higher volumes of traffic (5-10Gbps). Currently I use PF_RING supported nic (intel X710) to LB the traffic to multiple workers - this environment cannot handle the above traffic load. I could always beef up my server but that does not seem like an elegant solution. Could there be any benefits for moving to Napatech NIC or FPGA supported NIC ? In what scenario an FPGA card can be integrated with Bro to offload some of its more tedious tasks to the smart nic ? Any ideas would be appreciated Thanks B

3 years, 3 months

[Bro] size file

by Rober Fernández

hi, I have this code: event connection_established(c: connection) { local orig_file = generate_extraction_filename(extrac_prefix, c, "orig.dat"); local orig_f = open(orig_file); set_contents_file(c$id, CONTENTS_ORIG, orig_f); local resp_file = generate_extraction_filename(extrac_prefix, c, "resp.dat"); local resp_f = open(resp_file); set_contents_file(c$id, CONTENTS_RESP, resp_f); } and I would like set a maximum size, I think that I have two options, 1. set a maximum size file 2. control the data so that it does not exceed the size How can I do this? thanks

3 years, 3 months

[Bro] Mininet

by Sniper

Hello, Just wondering if anyone has tryed to use Bro on an openflow-based network using mininet? Kind regards Daniel --- This email has been checked for viruses by Avast antivirus software. https://www.avast.com/antivirus

3 years, 3 months

[Bro] Payload

by Rober Fernández

Hi, How can I get the payload of each connection and print each payload in a different file? Regards

3 years, 3 months

[Bro] How to convert name field in smb_files.log to "readable" string?

by 김수련

Hi, all Is there some way that convert name field of smb_files.log to "readable"? I got name value like "\u00ec\u0099\u0084" It seems like unicode and I read weird string(e.g. ê¸°íš íŒ€) when I send to ELK(characterset: utf-8). I might need to convert it. Any comments would be appreciated! Thanks!

3 years, 4 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek November 2017