zeek May 2017

zeek@lists.zeek.org

47 participants
53 discussions

Start a nNew thread

[Bro] Bro logging connections after specific daytime

by gehtdichmalgarnixan gehtdichauchnixan

3 years, 9 months

[Bro] does bro need root privilege?

by Kenneth Goldman

New user, with a Fedora install. 1 - Starting with the basics. As a normal user: [BroControl] > install Error: running "bro -v" failed with output: can't open 'debug.log' for debugging output Does bro have to run as root? 2 - Is there an NNTP reflector for this mailing list? -- Ken Goldman kgoldman(a)us.ibm.com 914-945-2415 (862-2415)

3 years, 10 months

Re: [Bro] binpac to bro script types

by Vlad Grigorescu

Well, that's protocol specific, but I did some digging: > >>> TIME_FIXUP_CONSTANT > 11644473600 > >>> hex(filetime) > '0x01d238cc0f66a007' > >>> filetime/10000000. > 13122978809.960194 > >>> _-TIME_FIXUP_CONSTANT > 1478505209.9601936 > >>> datetime.datetime.fromtimestamp(1478505209.9601936).strftime('%Y-%m-%d %H:%M:%S') > '2016-11-07 01:53:29' This is already implemented in smb-time.pac: https://github.com/bro/bro/blob/master/src/analyzer/protocol/smb/smb-time.p… You could try just adding this to your PAC file and then you'll be able to use that function: > %include ../smb/smb-time.pac Check out krb-asn1.pac for an example of including another PAC file: https://github.com/bro/bro/blob/master/src/analyzer/protocol/krb/krb-asn1.p… --Vlad

3 years, 10 months

Re: [Bro] TORRENT Detection -BRO

by Vlad Grigorescu

I looked at this a while back, and didn't pursue it because the protocol itself really doesn't have a lot of useful information. There are no filenames or really any useful metadata in the protocol (that's all contained in the .torrent file which is downloaded via a different channel). There might be something for DHT, but that would require parsing a completely different protocol. --Vlad Johanna Amann <johanna(a)icir.org> writes: > Hi, > >> Will I be able to detect torrent download using bro, i could see some >> torrent analyzers,is there any load statement should i include in local.bro >> or how to detect? > > The Bittorrent analyzer in Bro has not been touched in years and I assume > that it is not functional (it certainly has not been tested by anyone in a > long time). > > If you are interested in trying to enable it, you will have to write all > scripts yourself. As you probably are aware for most protocol analyzers we > have scripts in base/ that create the logfiles that are written to disk. > These scripts were never created for the Bittorrent analyzer - you would > have to write them from scratch (and as I mentioned I have doubts if it > still works). > > So - short version - there is no quick and easy way to enable it > currently. > > Johanna > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

3 years, 10 months

[Bro] Bro sqli + xss sans paper

by Alex Kefallonitis

I am trying to add the two scripts for sqli and xss from this paper https://www.sans.org/reading-room/whitepapers/detection/web-application-att… but i get this error HTTP::c$http$first_chunk no such a field in record... Anyone knows what is happening? Thanks in advanced.

3 years, 10 months

[Bro] Bro Package Manager Questionnaire

by Dopheide, Jeannette M

The Bro team would like to encourage the development of Bro scripts and plugins by creating a website front-end for the Bro Package Manager, which additional functionality to be determined. We are seeking input from the Bro user community as to what features would be desirable. Please let us know what features you would like to see by filling out our questionnaire: https://goo.gl/forms/VyVH1aRIBB2qdZF53 ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

3 years, 10 months

[Bro] webapp detection

by Raj Kumar

Hi All, Am trying to use the webapp detection script to detect webapps like facebook etc I saw previous threads it was mentioned to enable "*Make sure to set your Sites::local_net variable * If you set it to 0.0.0.0/0 I have included 0.0.0.0/0 in networks.cfg, I have also included in local.bro @load protocols/http/detect-webapps redef Software::asset_tracking = ALL_HOSTS; still I couldnt see any webapps traffic mentioning facebook i could see only multicast address like 224.0.0.251 Any solution ,much appreciated Thanks, *Raj* *IT Consultant* *Mobile: ** +45 **81923531* *Lyskær 9** [image: Inline images 1]* *2730 Herlev, Denmark * *Web: **http://www.capmon.dk <http://www.capmon.dk/>*

3 years, 10 months

[Bro] - see all triggered events on a given pcap file

by william de ping

Hi all, Does anyone know a way to get a list of all triggered events given a pcap file ? Currently what I do is just print some indicative message for each suspected relevant events (quit tedious task) Thanks B

3 years, 10 months

[Bro] BRO - Ransomware

by Raj Kumar

Hi All, If am trying to add smb-ransomware.bro , to my bro setup ,where should I include this in the bro directories. root@csh:/home/raj# find / -name "smb" /nsm/bro/share/bro/policy/protocols/smb /nsm/bro/share/bro/base/protocols/smb /opt/bro/bro-2.5/testing/btest/Traces/smb /opt/bro/bro-2.5/testing/btest/scripts/base/protocols/smb /opt/bro/bro-2.5/scripts/policy/protocols/smb /opt/bro/bro-2.5/scripts/base/protocols/smb /opt/bro/bro-2.5/build/src/analyzer/protocol/smb /opt/bro/bro-2.5/src/analyzer/protocol/smb and after this I can include in local.bro, @load policy/protocols/smb Thanks, *Raj*

3 years, 10 months

[Bro] Connections in conn.log

by mike anastasakis

Hello, I have a question regarding how the connections are created in conn.log. I thought that the combination tuple o (src_ip, src_port, dest_ip, dest_port)was used to define one connection but this is not the case. >From my conn.log file I have 6 connections with 6 unique different uids but with the same exact combination tuple mentioned above. The first connection is the one that establishes the ssl connection and the other 5 are identified as *OTH *which is No *SYN seen, just midstream traffic (a “partial connection” that was not later closed).* Are they not all included in the same connection because bro did not identify the ssl connection closing? If so, does this mean that bro considers a flow as a unique connection if there is a problem protocol beggining and ending? Kind Regards, Michael

3 years, 10 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2017