zeek August 2017

zeek@lists.zeek.org

43 participants
46 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

[Bro] Best way to contribute to existing analyzer

by Valerio

Hi all, I'd like to ask guidance on how to contribute to BRO by proposing extensions to existing protocol analyzers. For instance, suppose that I realize a patch to the DHCP analyzer that includes new unsupported options. Such patch would impact on multiple files like those in src/analyzer/protocol/dhcp, scripts/base/protocols/dhcp as well as new types to be included in init-bare.bro. What would be the best procedure (and format) to submit such a patch? best, Valerio

4 years, 5 months

[Bro] debug prints

by Dk Jack

Hi All, I am noticing a weird issue. I am not seeing debug prints from my scripts. Initially some debug prints show up in stdout.log. Debug prints I make when analyzing traffic i.e. http_header event etc are not showing up. I am using flush_all() in my scripts and yet the debugs are not showing up in stdout.log. Could someone comment on what could be going here? Thanks. Dk

4 years, 9 months

[Bro] http response timeout

by Dk Jack

Hi, In my http.log, I am seeing some lines being written without response code etc. What could be the reason for this? One reason I could think of was, what if the server or some entity between bro and the server that dropped the request/response thus preventing the response from reaching bro or the connection is closed on receiving the request by a downstream security device. How does bro react in such cases? could one of these scenarios explain why the response fields are missing from the log? Dk.

4 years, 9 months

[Bro] Nested modules in /opt/app/bro/share/bro/site/ not working?

by Glenn Forbes Fleming Larratt

Folks, This may well be an RTFM - I just don't know which section would cover this. I have two modules created in /opt/app/bro/share/bro/site/ , with the intention of having one @load the other - but I cannot seem to get the combination to work, and I'm unsure even where the failure is. The @load'ed module, "CU_net_defs", is intended as a shim to some .csv files, periodically updated from the central DB which tracks internal subnet allocations, which is supposed to instantiate two global sets of CIDR's, one for top-level allocations (e.g. 128.253.0.0), and the other for internally-allocated subnets (e.g. 128.253.101.0/25). The @load'ing module, "bro-wsSMTP", is intended to detect user workstations et.al. that have been compromised and are acting as spambots, by the following methodology. - understand the top-level allocations by @load'ing CU_net_defs; - understand an internal set of our e-mail infrastructure hosts and networks; and - generate logfiles, "ws-smtp.{}.log", containing entries where -- id$orig_h is part of a campus allocation; -- id$orig_h is *not* part of our e-mail infrastructure; and -- id$resp_h is *not* part of a campus allocation. The final goal is to have the resulting "ws-smtp.{}.log" files fed into Splunk for detection/correlation. The thing is, once I create an expression intended to isolate by way of the criteria above, I get no results whatever - even though the data is clearly in the normal smtp.log file. Slightly abridged instances of the module files are appended below. Can anyone shed any light on this? Thanks for any info, -- Glenn Forbes Fleming Larratt Cornell University IT Security Office ===== CU_net_defs/CU_net_defs.bro ===== module CU_net_defs; export { type IDX: record { cidr: subnet; }; global CU_subnets: set[subnet]; global CU_allocations: set[subnet]; } event bro_init() { Input::add_table([$source="/users/bro/devel/DNSDBnc/CU_subnets.txt", $name="CU_subnets", $idx = IDX, $destination=CU_subnets]); Input::remove("CU_subnets"); Input::add_table([$source="/users/bro/devel/DNSDBnc/CU_allocations.txt", $name="CU_allocations", $idx = IDX, $destination=CU_allocations]); Input::remove("CU_allocations"); } ======================================= ===== bro-wsSMTP/ws-SMTP-outbound.bro ===== @load base/protocols/smtp @load CU_net_defs module ws_SMTP_outbound; export { global local_mail_infra: set[subnet] = { 128.253.150.128/25, [stuff redacted...] 132.236.101.7/32 }; } event bro_init() { Log::add_filter(SMTP::LOG, [$name = "ws-smtp-outbound", $path = "ws-smtp", $pred(rec: SMTP::Info) = { return rec$id?$orig_h && rec$id$orig_h in CU_net_defs::CU_allocations && !(rec$id$orig_h in local_mail_infra) && rec$id?$resp_h && !(rec$id$resp_h in CU_net_defs::CU_allocations) ; } ] ); } ===========================================

4 years, 10 months

[Bro] broctl startup error

by Allen, Brian

Hi, I just upgraded my BRO cluster machines from ubuntu 14.02 to 16.04. I just installed the latest version of BRO on the manager. All the machines in the cluster return this: $ bro --version bro version 2.5-294 But when I try to run broctl on the manager to start it up again, I get this error: $ sudo broctl Warning: the SitePolicyStandalone option is deprecated (use SitePolicyScripts instead). Welcome to BroControl 1.7-7 Type "help" for help. [BroControl] > check manager scripts failed. /bin/sh: 1: Syntax error: "(" unexpected proxy-1 scripts failed. /bin/sh: 1: Syntax error: "(" unexpected proxy-2 scripts failed. /bin/sh: 1: Syntax error: "(“ unexpected . . .More of the same type of error . . . worker-3-16 scripts failed. /bin/sh: 1: Syntax error: "(" unexpected worker-3-17 scripts failed. /bin/sh: 1: Syntax error: "(" unexpected worker-3-18 scripts failed. /bin/sh: 1: Syntax error: "(" unexpected Any suggestions for where to find the file/script with the problem? Thanks for your help, -Brian ________________________________ The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

4 years, 10 months

[Bro] Question: using Log Filter Framework

by James Dickenson

Hey All, Hey I've been trying to use the log filter framework to filter out various things like certain IP ranges and other records. Here is my attempt but Bro is complaining about line 8 saying my syntax isn't correct. Does anyone know what I'm doing wrong? I've been using Seth's blog post on the framework as an example of how to build the log filters. ---> http://blog.bro.org/2012/02/filtering-logs-with-bro.html Thanks in advance! -James D. ###### code ####### global filter_ip_set: subnet = 1.0.0.0/8 &redef; event bro_init() { Log::remove_default_filter(HTTP::LOG); Log::add_filter(HTTP::LOG, [$name="orig_h_filter", $pred(rec: HTTP::Info) = { rec$id$orig_h in $filter_ip_set; } ]); Log::add_filter(HTTP::LOG, [$name="resp_h_filter", $pred(rec: HTTP::Info) = { rec$id$resp_h in $filter_ip_set; } ]); } ######################### ###### error ######## error in **snip*** test.bro, line 8: syntax error, at or near ";"

4 years, 10 months

[Bro] http multi-part

by Dk Jack

Hi, I am trying to perform some analysis on the HTTP body. For regular messages I am accumulating the http body using http_entity_data and http_end_entity events. However, this doesn't seem to work for multi-part post message. How do I accumulate multi-part post messages. Any help is appreciated. Thanks. Dk.

4 years, 10 months

[Bro] binpac

by ps sunu

Hi, Hi how to write protocol using binPac ? any working sample available ?

4 years, 10 months

Re: [Bro] binpac

by Vlad Grigorescu

I might start with this tutorial: https://www.bro.org/development/howtos/binpac-sample-analyzer.html There's also this presentation I gave a few BroCons back: https://www.youtube.com/watch?v=1eDIl9y6ZnM --Vlad ps sunu <pssunu6(a)gmail.com> writes: > Hi, > Hi how to write protocol using binPac ? any working sample available ? > _______________________________________________ > Bro mailing list > bro(a)bro-ids.org > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

4 years, 10 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek August 2017