zeek June 2017

zeek@lists.zeek.org

52 participants
62 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 days, 20 hours

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

4 years

[Bro] Bro logging connections after specific daytime

by gehtdichmalgarnixan gehtdichauchnixan

4 years, 6 months

[Bro] ERSPAN & Missing Logs

by Kyle Reidell

Hello all, I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have uploaded a pcap containing ERSPAN data which I have been able to read; however, the only log files that are being created from Bro/live traffic are the following: capture_loss stats stderr stdout weird communication As a test, I have used tcpdump to capture packets on the configured interface (mon0) which sees plenty of traffic, however, I still cannot see the corresponding logs from Bro. Any help would be greatly appreciated!! Thank you, Planearium

4 years, 7 months

[Bro] Bro Package Manager: list of packages

by Dopheide, Jeannette M

Attention Bro Community, While we’re in the process of developing a web site for the Bro Package Manager project, we’d like to share the packages we have collected so far. The package names and a short description are listed below: bro/0xxon/bro-postgresql - A PostgreSQL reader and writer for Bro. bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str). bro/corelight/bro-long-connections - Find and log long-lived connections into a "conn_long" log. bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation. bro/dopheide/venom (installed: master) - https://security.web.cern.ch/security/venom.shtml bro/hhzzk/dns-tunnels - Detect DNS Tunnels attack. bro/initconf/CVE-2017-5638_struts.git bro/initconf/phish-analysis.git bro/initconf/scan-NG bro/j-gras/add-json - Additional JSON-logging for Bro. bro/j-gras/bro-af_packet-plugin - This plugin provides native AF_Packet support for Bro. bro/j-gras/intel-extensions - Extensions for Bro's intelligence framework. bro/joesecurity/Joe-Sandbox-Bro - JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox. bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling. bro/jsiwek/bro-test-package - An example Bro package for testing purposes. bro/jswaro/tcprs - TCP Retransmission and State Analyzer plugin for Bro. bro/ncsa/bro-interface-setup - A broctl plugin that helps you setup capture interfaces bro/pgaulon/bro-notice-slack - Bro Notices through Slack webhook bro/scebro/ldap-analyzer - LDAP write operations analyzer for Bro. bro/sethhall/bro-myricom - Packet source plugin that provides native Myricom SNF v3+v4 support. bro/sethhall/credit-card-exposure - Detect credit card numbers in HTTP and SMTP with Bro. bro/sethhall/domain-tld bro/sethhall/ssn-exposure - Detect US Social Security numbers in HTTP and SMTP with Bro. bro/srozb/dns_axfr - Find and notice DNS zone transfer attempts. bro/theflakes/bro-large_uploads - Raise notices on outgoing files over X bytes in size. To learn how to use the Package Manager, see our documentation here: http://bro-package-manager.readthedocs.io/en/stable/index.html ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

4 years, 7 months

[Bro] v2.5 Bro Log Cheat Sheets

by Dopheide, Jeannette M

Corelight has made its Bro Log cheat sheets public on their Github: https://github.com/corelight/bro-cheatsheets ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

4 years, 7 months

[Bro] Bro 2.5.1 release

by Johanna Amann

We are very happy to announce the release of Bro v2.51. The new version is now available for download at: https://bro.org/download/index.html Binary packages also are available at: https://bro.org/download/packages.html This release contains a number of bug fixes. Fixes include: - Better file analysis memory management - Less cluster node communication - Correct expiration of intelligence items after reinsertion - A bug in the OCSP validation code This point-release also includes a number of new features, including new file handling BIFS, support for ERSPAN, and new BroControl options. For more information see the NEWS and CHANGES files: https://www.bro.org/download/NEWS.bro.html https://www.bro.org/download/CHANGES.bro.txt Thanks to everyone who helped make this release possible. We extend special thanks to the community for their feedback and support. Johanna

4 years, 7 months

[Bro] Relationship between custom protocol analyzer and weird log

by Valerio

Hi all, I am experiencing a strange behaviour in BRO that I am not able to troubleshoot autonomously. I developed a simple binary protocol analyzer that produces a log file of type prot1.log. If I run bro offline on a dedicated pcap it correctly outputs prot1.log with the proper record. If I run bro sniffing on an interface and I tcpreplay the pcap on the sniffed interface I get weird.log with SYN_inside_connection warning. Is weird preemting the application of my analyzer? many thanks in advance, Valerio

4 years, 7 months

[Bro] Bro node.cfg not setting Myricom Sniffer10G environment variables

by Chris Chiaverini

It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE variable, no matter what I set it to. When at the defaults in the /etc/bro/node.cfg and with nothing set at the shell, it still reports it is set via "userset" instead of "default" like SNF_DESCRING_SIZE. Here is the defaults: - Nothing at shell #env | grep SNF # - node.cfg with defaults #fgrep -A 12 worker-1 node.cfg [worker-1] type=worker host=<MYHOSTNAME> interface=snf0 lb_method=myricom lb_procs=8 #lb_procs=7 ### Keep it on one NUMA node ## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22 ## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23 pin_cpus=2,4,6,8,10,12,14,16 env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3 # - defaults show "userset" for SNF_DATARING_SIZE #fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log 121273 snf.0.-1 P (*userset*) * SNF_DATARING_SIZE = 134217728 (0x8000000) (128.0 MiB)* 121273 snf.0.-1 P (*default*) *SNF_DESCRING_SIZE = 67108864 (0x4000000) (64.0 MiB)* 121273 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3) 121273 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr 121273 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2 QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40 # ------------------------------------------- - Manually setting *SNF_DATARING_SIZE* and *SNF_DESCRING_SIZE* #fgrep -A 12 worker-1 node.cfg [worker-1] type=worker host=<MYHOSTNAME> interface=snf0 lb_method=myricom lb_procs=8 #lb_procs=7 ### Keep it on one NUMA node ## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22 ## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23 pin_cpus=2,4,6,8,10,12,14,16 #env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3 env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3,*SNF_DATARING_SIZE=4294967296,SNF_DESCRING_SIZE=1073741824* # - deploy new config with restart #/opt/bro/bin/broctl deploy <OMITTED> - SNF_DATARING_SIZE still set to 128MB like in default and still reports that it was set via "userset" (should be 4GB set via "environ") #fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log 34852 snf.0.-1 P *(userset) SNF_DATARING_SIZE = 134217728 (0x8000000) (128.0 MiB)* 34852 snf.0.-1 P *(environ) SNF_DESCRING_SIZE = 1073741824 (0x40000000) (1024.0 MiB)* 34852 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3) 34852 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr 34852 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2 QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40 # -- Regards, Chris Chiaverini Cyber Security Operations Brookhaven National Laboratory Upton, New York 11973

4 years, 7 months

[Bro] get TCP payload of first ACK from client

by Xu Zhang

Hello, I'm writing a bro script to output TCP payload of first ack from client (is_orig = True), I'm currently using tcp_packet event, check the ack flag and payload length as well as if it is the first ack. I'm wondering if there is a cheaper way to achieve this, since tcp_packet is pretty expensive. I cannot use connection_first_ACK event because it does not give me the actual TCP payload. I cannot use ssl_client_hello because i want to handle not only ssl. Does anyone have suggestions? Thanks for the help! -- Sincerely, Xu Zhang

4 years, 7 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2017