zeek May 2017

zeek@lists.zeek.org

47 participants
54 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

[Bro] Bro logging connections after specific daytime

by gehtdichmalgarnixan gehtdichauchnixan

4 years, 11 months

[Bro] does bro need root privilege?

by Kenneth Goldman

New user, with a Fedora install. 1 - Starting with the basics. As a normal user: [BroControl] > install Error: running "bro -v" failed with output: can't open 'debug.log' for debugging output Does bro have to run as root? 2 - Is there an NNTP reflector for this mailing list? -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

5 years

Re: [Bro] binpac to bro script types

by Vlad Grigorescu

Well, that's protocol specific, but I did some digging: > >>> TIME_FIXUP_CONSTANT > 11644473600 > >>> hex(filetime) > '0x01d238cc0f66a007' > >>> filetime/10000000. > 13122978809.960194 > >>> _-TIME_FIXUP_CONSTANT > 1478505209.9601936 > >>> datetime.datetime.fromtimestamp(1478505209.9601936).strftime('%Y-%m-%d %H:%M:%S') > '2016-11-07 01:53:29' This is already implemented in smb-time.pac: https://github.com/bro/bro/blob/master/src/analyzer/protocol/smb/smb-time.p… You could try just adding this to your PAC file and then you'll be able to use that function: > %include ../smb/smb-time.pac Check out krb-asn1.pac for an example of including another PAC file: https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-asn1.p… --Vlad

5 years

Re: [Bro] TORRENT Detection -BRO

by Vlad Grigorescu

I looked at this a while back, and didn't pursue it because the protocol itself really doesn't have a lot of useful information. There are no filenames or really any useful metadata in the protocol (that's all contained in the .torrent file which is downloaded via a different channel). There might be something for DHT, but that would require parsing a completely different protocol. --Vlad Johanna Amann <johanna(a)icir.org> writes: > Hi, > >> Will I be able to detect torrent download using bro, i could see some >> torrent analyzers,is there any load statement should i include in local.bro >> or how to detect? > > The Bittorrent analyzer in Bro has not been touched in years and I assume > that it is not functional (it certainly has not been tested by anyone in a > long time). > > If you are interested in trying to enable it, you will have to write all > scripts yourself. As you probably are aware for most protocol analyzers we > have scripts in base/ that create the logfiles that are written to disk. > These scripts were never created for the Bittorrent analyzer - you would > have to write them from scratch (and as I mentioned I have doubts if it > still works). > > So - short version - there is no quick and easy way to enable it > currently. > > Johanna > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

5 years

[Bro] Bro sqli + xss sans paper

by Alex Kefallonitis

I am trying to add the two scripts for sqli and xss from this paper https://www.sans.org/reading-room/whitepapers/detection/web-application-att… but i get this error HTTP::c$http$first_chunk no such a field in record... Anyone knows what is happening? Thanks in advanced.

5 years

[Bro] Bro Package Manager Questionnaire

by Dopheide, Jeannette M

The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable. Please let us know what features you would like to see by filling out our questionnaire: https://goo.gl/forms/VyVH1aRIBB2qdZF53 ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

5 years

[Bro] webapp detection

by Raj Kumar

Hi All, Am trying to use the webapp detection script to detect webapps like facebook etc I saw previous threads it was mentioned to enable "*Make sure to set your Sites::local_net variable * If you set it to 0.0.0.0/0 I have included 0.0.0.0/0 in networks.cfg, I have also included in local.bro @load protocols/http/detect-webapps redef Software::asset_tracking = ALL_HOSTS; still I couldnt see any webapps traffic mentioning facebook i could see only multicast address like 224.0.0.251 Any solution ,much appreciated Thanks, *Raj* *IT Consultant* *Mobile: ** +45 **81923531* *Lyskær 9** [image: Inline images 1]* *2730 Herlev, Denmark * *Web: **http://www.capmon.dk <http://www.capmon.dk/>*

5 years

[Bro] - see all triggered events on a given pcap file

by william de ping

Hi all, Does anyone know a way to get a list of all triggered events given a pcap file ? Currently what I do is just print some indicative message for each suspected relevant events (quit tedious task) Thanks B

5 years

[Bro] BRO - Ransomware

by Raj Kumar

Hi All, If am trying to add smb-ransomware.bro , to my bro setup ,where should I include this in the bro directories. root@csh:/home/raj# find / -name "smb" /nsm/bro/share/bro/policy/protocols/smb /nsm/bro/share/bro/base/protocols/smb /opt/bro/bro-2.5/testing/btest/Traces/smb /opt/bro/bro-2.5/testing/btest/scripts/base/protocols/smb /opt/bro/bro-2.5/scripts/policy/protocols/smb /opt/bro/bro-2.5/scripts/base/protocols/smb /opt/bro/bro-2.5/build/src/analyzer/protocol/smb /opt/bro/bro-2.5/src/analyzer/protocol/smb and after this I can include in local.bro, @load policy/protocols/smb Thanks, *Raj*

5 years

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2017