zeek June 2017

zeek@lists.zeek.org

52 participants
61 discussions

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

3 years

[Bro] Bro logging connections after specific daytime

by gehtdichmalgarnixan gehtdichauchnixan

3 years, 6 months

[Bro] ERSPAN & Missing Logs

by Kyle Reidell

Hello all, I am attempting to monitor a Cisco CSR1000v within AWS via ERSPAN. Through my research, I am running Bro version 2.5-147 on an AWS Linux AMI and have uploaded a pcap containing ERSPAN data which I have been able to read; however, the only log files that are being created from Bro/live traffic are the following: capture_loss stats stderr stdout weird communication As a test, I have used tcpdump to capture packets on the configured interface (mon0) which sees plenty of traffic, however, I still cannot see the corresponding logs from Bro. Any help would be greatly appreciated!! Thank you, Planearium

3 years, 6 months

[Bro] Bro Package Manager: list of packages

by Dopheide, Jeannette M

Attention Bro Community, While we’re in the process of developing a web site for the Bro Package Manager project, we’d like to share the packages we have collected so far. The package names and a short description are listed below: bro/0xxon/bro-postgresql - A PostgreSQL reader and writer for Bro. bro/0xxon/bro-sumstats-counttable - Two-dimensional buckets for sumstats (count occurences per $str). bro/corelight/bro-long-connections - Find and log long-lived connections into a "conn_long" log. bro/dopheide/bro_notice_correlation - Adds support for multi-notice correlation. bro/dopheide/venom (installed: master) - https://security.web.cern.ch/security/venom.shtml bro/hhzzk/dns-tunnels - Detect DNS Tunnels attack. bro/initconf/CVE-2017-5638_struts.git bro/initconf/phish-analysis.git bro/initconf/scan-NG bro/j-gras/add-json - Additional JSON-logging for Bro. bro/j-gras/bro-af_packet-plugin - This plugin provides native AF_Packet support for Bro. bro/j-gras/intel-extensions - Extensions for Bro's intelligence framework. bro/joesecurity/Joe-Sandbox-Bro - JoeSandbox-Bro extracts files from your internet connection and analyzes them automatically on Joe Sandbox. bro/jonzeolla/scan-sampling - Modified version of scan.bro to add destination IP sampling. bro/jsiwek/bro-test-package - An example Bro package for testing purposes. bro/jswaro/tcprs - TCP Retransmission and State Analyzer plugin for Bro. bro/ncsa/bro-interface-setup - A broctl plugin that helps you setup capture interfaces bro/pgaulon/bro-notice-slack - Bro Notices through Slack webhook bro/scebro/ldap-analyzer - LDAP write operations analyzer for Bro. bro/sethhall/bro-myricom - Packet source plugin that provides native Myricom SNF v3+v4 support. bro/sethhall/credit-card-exposure - Detect credit card numbers in HTTP and SMTP with Bro. bro/sethhall/domain-tld bro/sethhall/ssn-exposure - Detect US Social Security numbers in HTTP and SMTP with Bro. bro/srozb/dns_axfr - Find and notice DNS zone transfer attempts. bro/theflakes/bro-large_uploads - Raise notices on outgoing files over X bytes in size. To learn how to use the Package Manager, see our documentation here: http://bro-package-manager.readthedocs.io/en/stable/index.html ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

3 years, 6 months

[Bro] v2.5 Bro Log Cheat Sheets

by Dopheide, Jeannette M

Corelight has made its Bro Log cheat sheets public on their Github: https://github.com/corelight/bro-cheatsheets ------ Jeannette Dopheide Training and Outreach Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

3 years, 6 months

[Bro] Bro 2.5.1 release

by Johanna Amann

We are very happy to announce the release of Bro v2.51. The new version is now available for download at: https://bro.org/download/index.html Binary packages also are available at: https://bro.org/download/packages.html This release contains a number of bug fixes. Fixes include: - Better file analysis memory management - Less cluster node communication - Correct expiration of intelligence items after reinsertion - A bug in the OCSP validation code This point-release also includes a number of new features, including new file handling BIFS, support for ERSPAN, and new BroControl options. For more information see the NEWS and CHANGES files: https://www.bro.org/download/NEWS.bro.html https://www.bro.org/download/CHANGES.bro.txt Thanks to everyone who helped make this release possible. We extend special thanks to the community for their feedback and support. Johanna

3 years, 6 months

[Bro] Relationship between custom protocol analyzer and weird log

by Valerio

Hi all, I am experiencing a strange behaviour in BRO that I am not able to troubleshoot autonomously. I developed a simple binary protocol analyzer that produces a log file of type prot1.log. If I run bro offline on a dedicated pcap it correctly outputs prot1.log with the proper record. If I run bro sniffing on an interface and I tcpreplay the pcap on the sniffed interface I get weird.log with SYN_inside_connection warning. Is weird preemting the application of my analyzer? many thanks in advance, Valerio

3 years, 6 months

[Bro] Bro node.cfg not setting Myricom Sniffer10G environment variables

by Chris Chiaverini

It seems that bro 2.5.1 is not taking the SNF_DATARING_SIZE variable, no matter what I set it to. When at the defaults in the /etc/bro/node.cfg and with nothing set at the shell, it still reports it is set via "userset" instead of "default" like SNF_DESCRING_SIZE. Here is the defaults: - Nothing at shell #env | grep SNF # - node.cfg with defaults #fgrep -A 12 worker-1 node.cfg [worker-1] type=worker host=<MYHOSTNAME> interface=snf0 lb_method=myricom lb_procs=8 #lb_procs=7 ### Keep it on one NUMA node ## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22 ## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23 pin_cpus=2,4,6,8,10,12,14,16 env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3 # - defaults show "userset" for SNF_DATARING_SIZE #fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log 121273 snf.0.-1 P (*userset*) * SNF_DATARING_SIZE = 134217728 (0x8000000) (128.0 MiB)* 121273 snf.0.-1 P (*default*) *SNF_DESCRING_SIZE = 67108864 (0x4000000) (64.0 MiB)* 121273 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3) 121273 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr 121273 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2 QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40 # ------------------------------------------- - Manually setting *SNF_DATARING_SIZE* and *SNF_DESCRING_SIZE* #fgrep -A 12 worker-1 node.cfg [worker-1] type=worker host=<MYHOSTNAME> interface=snf0 lb_method=myricom lb_procs=8 #lb_procs=7 ### Keep it on one NUMA node ## NUMA node0 CPU(s): 0,2,4,6,8,10,12,14,16,18,20,22 ## NUMA node1 CPU(s): 1,3,5,7,9,11,13,15,17,19,21,23 pin_cpus=2,4,6,8,10,12,14,16 #env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3 env_vars=SNF_APP_ID=10,SNF_FLAGS=0x1,SNF_NUM_RINGS=8,SNF_DEBUG_MASK=3,*SNF_DATARING_SIZE=4294967296,SNF_DESCRING_SIZE=1073741824* # - deploy new config with restart #/opt/bro/bin/broctl deploy <OMITTED> - SNF_DATARING_SIZE still set to 128MB like in default and still reports that it was set via "userset" (should be 4GB set via "environ") #fgrep SNF_D /data01/bro/spool/worker-1-1/stderr.log 34852 snf.0.-1 P *(userset) SNF_DATARING_SIZE = 134217728 (0x8000000) (128.0 MiB)* 34852 snf.0.-1 P *(environ) SNF_DESCRING_SIZE = 1073741824 (0x40000000) (1024.0 MiB)* 34852 snf.0.-1 P (environ) SNF_DEBUG_MASK = 3 (0x3) 34852 snf.0.-1 P (default) SNF_DEBUG_FILENAME = stderr 34852 snf.0.-1 P SNF_DEBUG_MASK=0x3 for modes WARN=0x1, PARAM=0x2 QSTATS=0x4 TIMESYNC=0x8 IOCTL=0x10 QEVENTS=0x20 ARISTA=0x40 # -- Regards, Chris Chiaverini Cyber Security Operations Brookhaven National Laboratory Upton, New York 11973

3 years, 6 months

[Bro] get TCP payload of first ACK from client

by Xu Zhang

Hello, I'm writing a bro script to output TCP payload of first ack from client (is_orig = True), I'm currently using tcp_packet event, check the ack flag and payload length as well as if it is the first ack. I'm wondering if there is a cheaper way to achieve this, since tcp_packet is pretty expensive. I cannot use connection_first_ACK event because it does not give me the actual TCP payload. I cannot use ssl_client_hello because i want to handle not only ssl. Does anyone have suggestions? Thanks for the help! -- Sincerely, Xu Zhang

3 years, 6 months

[Bro] Bro 2.5 appears to be ignoring redefs of Pcap::snaplen

by Kevin Branch

For a long time I have used "redef Pcap::snaplen = 1600;" in local.bro to make Bro drop its default snaplen from 8192 to 1600. This is helpful for conserving memory when using Bro in conjunction with PF_RING and a high number of ring slots. Today I just noticed that while Bro does not complain about "redef Pcap::snaplen = 1600;" when I run a "broctl check", that Bro appears to be ignoring the redef. All my Bro instances are actually using a snaplen of 8192. I use Bro on the latest Security Onion Ubuntu 14.04 platform, and have observed this problem with both PF_RING 6.4.1 (SO stable) and PF_RING 6.6.0 (SO test). The "Bucket Len" in the below PF_RING status file corresponds to the snaplen of the app that allocated the ring. root@nsm.xyz.org:~# cat /proc/net/pf_ring/15028-dmz.9 Bound Device(s) : dmz Active : 1 Breed : Standard Appl. Name : bro-dmz Socket Mode : RX+TX Capture Direction : RX+TX Sampling Rate : 1 IP Defragment : No BPF Filtering : Enabled Sw Filt Hash Rules : 0 Sw Filt WC Rules : 0 Hw Filt Rules : 0 Sw Filt Hash Match : 0 Sw Filt Hash Miss : 0 Poll Pkt Watermark : 1 Num Poll Calls : 345386919 Channel Id Mask : 0xFFFFFFFFFFFFFFFF Cluster Id : 21 Slot Version : 16 [6.4.1] Min Num Slots : 128000 Bucket Len : 8192 Slot Len : 8248 [bucket+header] Tot Memory : 1055756288 Tot Packets : 1966471960 Tot Pkt Lost : 3 Tot Insert : 1966471957 Tot Read : 1966471957 Insert Offset : 809944608 Remove Offset : 809944608 Num Free Slots : 128000 TX: Send Ok : 0 TX: Send Errors : 0 Reflect: Fwd Ok : 0 Reflect: Fwd Errors: 0 Please advise me about how to successfully change the snaplen used by Bro 2.5 at this time, Can anyone reproduce this problem? I don't know if this issue applies across the board or only comes up with PF_RING. Let me know if there is anything I can do to help test this issue. Thanks! Kevin

3 years, 6 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2017