zeek April 2017

zeek@lists.zeek.org

45 participants
67 discussions

by Alex Kefallonitis

I am trying to add the two scripts for sqli and xss from this paper https://www.sans.org/reading-room/whitepapers/detection/web-application-att… but i get this error HTTP::c$http$first_chunk no such a field in record... Anyone knows what is happening? Thanks in advanced.

3 years, 11 months

[Bro] Cross compiling bro for mips core (as a binary)

by anant garg

Hello there, Has anybody got success in cross compiling bro for mips core, specifically as Cavium's Octeon binary (simple executive) ? I have looked around but did not find any pointer on this information. Does not look straightforward to me. Can somebody help providing any information/tips/notes on this if you have tried it before ? I appreciate your time on helping out this. -Anant

3 years, 11 months

[Bro] bro_init

by ps sunu

Hi, Any way to insert any connection related details inside event bro_init() functions Regards, sunu

3 years, 11 months

[Bro] Bro and GeoIP

by LinuxBSDos.com

Hello, If I installed Bro using the package manager, made sure that the GeoIP databases are in the right place, what else do I need to make it work, or does Bro need to be compiled from source for it to have support for GeoIP? I've done the test at [1] and it returned the error. Thanks, https://www.bro.org/sphinx/frameworks/geoip.html#geolocation -- -finid- Sent from my containerized Linux desktop ----------------------------------------

3 years, 11 months

[Bro] files.log

by ps sunu

Hi , This method can we add id into files.log global myevent: event(f: fa_file, c: connection, is_orig: bool); redef record Files::Info += { # tx_cc: string &log &optional; #rx_cc: string &log &optional; #tx_asn: count &log &optional; #rx_asn: count &log &optional; id: conn_id &log &optional; }; event myevent(f: fa_file, c: connection, is_orig: bool) &priority = -10 { if ( ! f?$info ) return; f$info$id = c$id; } Regards, Sunub event bro_init() { event myevent( f: fa_file, c: connection, is_orig: bool); } event bro_done() { print "bro_done()"; }

4 years

[Bro] (no subject)

by ps sunu

Hi below script i need to add connection related info inside notice log Skip to content This repository Search Pull requests Issues Gist @binups Sign out Watch 14 Star 29 Fork 10 fox-it/bro-scripts Code Issues 1 Pull requests 0 Projects 0 Wiki Pulse Graphs Branch: master Find file Copy pathbro-scripts/smb-ransomware/smb-ransomware.bro b3aa56d on 12 Sep 2016 @fox-srt fox-srt Adding SMB Ransomware policy for BroCon 2016 1 contributor RawBlameHistory 120 lines (93 sloc) 2.85 KB @load base/frameworks/files @load base/protocols/smb @load base/frameworks/notice @load base/frameworks/sumstats global fuidmap : set[string]; module FoxCryptoRansom; export { redef enum Notice::Type += { ## Notice corresponding to a possible ransomware attack RANSOMWARE_SMB }; ## Entropy check on the first packet send const enc_off = 0 &redef; ## Entropy check on certain bytes const enc_sdata = 0 &redef; const enc_edata = 1000 &redef; ## Entropy and Mean corresponding to a possible ransomware attack const enc_entropy = 7.5 &redef; const enc_mean = 125 &redef; ## Notice values corresponding to a possible ransomware attack const threshold_time = 30sec &redef; const threshold_limit = 5.0 &redef; ## Ignore list for certain filenames const ignore_list = /GoogleChrome/ &redef; redef enum Log::ID += {LOG}; type Info: record { ts: time &log; filename: string &log; entropy: double &log; mean: double &log; }; } event chunk_event (f: fa_file, data: string, off: count) { if ( off == enc_off ) { local fox_entropy = find_entropy(data[enc_sdata:enc_edata]); if ( fox_entropy$entropy >= enc_entropy && fox_entropy$mean >= enc_mean ) { SumStats::observe("SMB traffic detected", SumStats::Key(), SumStats::Observation($num=1)); local rec: FoxCryptoRansom::Info = [ $ts=network_time(), $filename = f$info$filename, $entropy=fox_entropy$entropy, $mean=fox_entropy$mean ]; Log::write(FoxCryptoRansom::LOG, rec); } } } event file_over_new_connection(f: fa_file, c: connection, is_orig: bool) { if (f$source == "SMB"){ local filename = "UNKNOWN"; if (f$info?$filename){ filename = f$info$filename; } local mime_type = "UNKNOWN"; if (f$info?$mime_type){ mime_type = f$info$mime_type; } if (mime_type == "UNKNOWN"){ if (ignore_list in filename){ return; }else{ if ( ! c$smb_state$current_file?$action){ return ; }else{ if (c$smb_state$current_file$action == SMB::FILE_WRITE){ local fuid = c$smb_state$current_file$fuid; if (fuid !in fuidmap){ Files::add_analyzer(f, Files::ANALYZER_DATA_EVENT, Files::AnalyzerArgs($chunk_event=chunk_event)); add fuidmap[fuid]; } }else{ } } } } } } event bro_init() { local r1 = SumStats::Reducer($stream="SMB traffic detected", $apply=set(SumStats::SUM)); SumStats::create([$name = "Ransomware detection", $epoch = threshold_time, $reducers = set(r1), $threshold = threshold_limit, $threshold_val(key: SumStats::Key, result: SumStats::Result) = { return result["SMB traffic detected"]$sum; }, $threshold_crossed(key: SumStats::Key, result: SumStats::Result) = { NOTICE([$note=RANSOMWARE_SMB, $msg="Ransomware encrypting share detected"]); }]); Log::create_stream(FoxCryptoRansom::LOG, [$columns=Info, $path="entropy"]); }

4 years

[Bro] Get bro to listen only to localhost

by James Lay

Interestingly, a Nessus scan now crashes bro...I can replicate this on one machine, so, how do I tell bro not to listen to all interfaces, and just localhost? It's a standalone instance. Thank you. James

4 years

[Bro] Tor script

by ps sunu

Hi any new tor detection script available in bro language ? Regards, Sunu

4 years

Re: [Bro] PySubnetTree on PyPI

by Vlad Grigorescu

Hi George, Thanks for the reminder. I've uploaded the newer versions to PyPI. Please let me know if you run into any issues. Thanks, --Vlad George Macon <George.Macon(a)gtri.gatech.edu> writes: > The PySubnetTree library was uploaded to PyPI in 2014 when it was on > version 0.23; this is still the most recent version on PyPI. This had > been originally requested in the GitHub Issue #1, which I note was never > closed. I asked on IRC where the appropriate place to ask about getting > the most recent version uploaded and was directed to the mailing list. > Can whoever controls the "bro" account on PyPI upload the newest version > of PySubnetTree? > > Thanks, > George > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

4 years

Re: [Bro] script to extract elastic search mapping from header of bro-logs

by Vlad Grigorescu

ElasticSearch gets difficult, because there's a lot of context-specific data that should be captured too, especially when it comes to indexing. For example, I liked to index domain names with a reverse-path tokenization on '.' as the delimeter, so that www.ncsa.illinois.edu will show up in searches for "edu," "illinois.edu," "ncsa.illinois.edu," and "www.ncsa.illinois.edu." Capturing this context can be very tricky, and I don't think that it's currently available in the ASCII logs. I'd be curious if anyone has thoughts on how to improve this. --Vlad Frank Meier <franky.meier.1(a)gmx.de> writes: > Hi, > > On Wed, 26 Apr 2017 05:10:04 -0700 Johanna Amann <johanna(a)icir.org> > wrote: > >> Hi, >> >> in case you are talking about importing a Bro ASCII log into the >> database >> - I did something like that for Postgres once. My script automatically >> created tables with the right types (including stuff like inet), and >> converted sets and vectors to postgres arrays. >> > > thanks, that's what I was thinking about. > > Franky > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

4 years

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek April 2017