Does anyone have a recommended way to handle a sensor that also runs a DNS
resolver/forwarder?
Since the requests "originate" at the sensor there is no other side of the
traffic for Zeek to see. This generates a weird.log possible_split_routing
entry for every forwarded DNS request.
Is this generally avoided by moving DNS off the firewall/sensor, or are
there other ways of handling this?
Thanks,
Michael
So here we go. I've attacked this with my lab and here are some
thoughts/results. Current state:
bro-2.6 installed from source (config option --prefix=/opt/bro)
bro-af_packet-plugin ja3 intel-seen-more domain-tld installed via
bro-pkg
after upgrading to bro-2.6.1 errors like the below:
fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot
load plugin library
/opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so:
/opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so:
undefined symbol: bro_version_2_6_plugin_6
next up, remove and reinstall bro-af_backup-plugin:
root@# bro-pkg remove bro-af_packet-plugin
The following packages will be REMOVED:
bro/j-gras/bro-af_packet-plugin
Proceed? [Y/n] y
Removed "bro/j-gras/bro-af_packet-plugin"
root@# bro-pkg install bro-af_packet-plugin
The following packages will be INSTALLED:
bro/j-gras/bro-af_packet-plugin (1.3.0)
Proceed? [Y/n] y
Running unit tests for "bro/j-gras/bro-af_packet-plugin"
[ 0%] scripts.show-plugin ... failed
% 'bro -NN Bro::AF_Packet > output' failed unexpectedly (exit code 1)
% cat .stderr
fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot
load plugin library
/root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so:
/root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so:
undefined symbol: bro_version_2_6_plugin_6
1 of 1 test failed
error: bro/j-gras/bro-af_packet-plugin tests failed, inspect contents of
/root/.bro-pkg/testing/bro-af_packet-plugin for details
Proceed to install anyway? [N/y] n
Abort.
a thought occurs....modify /root/.bro-pkg/config -> bro_dist =
/build/bro-2.6.1
all works. So long story short, the upgrade process going forward
should be:
./configure, make, make install
bro-pkg autoconfig
bro-pkg refresh
on from there. It might be worthwhile to annotate somewhere in the
README or create an UPGRADE in the tarball to reflect that bro-pkg will
need some attention as well during the upgrade process. Thank you!
James
Is there a timetable available yet for the release of RPM's zeek/bro's latest release via the repo ?
Regards
Robert Cotter
Sales Engineer - APAC Region
http://www.endace.com/
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bro v2.6.1 is available for download:
https://www.zeek.org/download/index.htmlhttps://www.zeek.org/downloads/bro-2.6.1.tar.gz
This release updates the embedded SQLite to version 3.26.0 to
address the "Magellan" remote code execution vulnerability. The
stock Bro configuration/scripts don't use SQLite by default, but
custom user scripts/packages may.
This release also updates Broker to v1.1.2, which includes a
minor bug fix in its Python bindings and improved support for
building it as a static library.
-----BEGIN PGP SIGNATURE-----
iQIcBAEBAgAGBQJcGowAAAoJEKfUHOR63zbz3EUP/iVCvDHFPwl/i8QQUQUTz7gQ
bdyE95USUd4J7+tZEnd3f0yoqTDmFGxWfioLlr0U+Qpz7K8fgEb7lnSIin7O4vb+
nuPM3fRrl3uh8P0PjALWvmxqS7LQMiJOV72XCoBF/2illWny8G/57inkeaoqYeYl
/bHMoS7xPb3BZVXjj/v2aLMXvyeDY9Xv3cqzmKEiKHAE09WxMUNFsWHQhyLqLunU
0bJqSRjQwy3nMDq9lUGUXdqXiVILufkVN7kXu8WgjTn2Cis1D8ZRDNhYSKW1PFQA
kCKqxXjuBe97MAYlls/nv7IadivJx22h7A/sogjxJh7oTmjyDC4UKWnjH09zWjdh
UYfS51D1bdDDv4yFLgCXGPkg02cUIRAO7w12XCfgTe1g0hoJOcl4faBWvNa3xBZV
z5Qge+1mrW/k5MEtCSFnRPGvxD7SeZ7Dj+9PQcA9wY2iO6YNKQz7DYZjb8i6Gnaf
L+4yO51B2qasUQICW0sZiYkg5LU847DyGrcfTE4z9ImlsSwpIxagbfG/3zxtIAow
vpF5Su2g1/C9jXxJJovcthWf/HM3/VaBWwDpd8K7zmIssbMbd/apQvwitnMdM6y2
GJY9i7LPgSJTCkRyLrE1jvKBbuF3225VUfq1n4dwT6EByyJ9TxLgHfFA/gHYiG8Z
skDvIlyix1XUZl5UpLLI
=TFfn
-----END PGP SIGNATURE-----
Hello everyone,
As part of renaming Bro to Zeek, we are going to change the addresses and
names of all our mailing lists.
The important thing first: this change is going to happen tomorrow
(Thursday), 12/20. The mailing list rename will happen during a system
maintenance window at ICSI (which is hosting the mailing list). Thus the
mailing lists (including the archives) will be unavailable for a few hours
during the day on Thursday. Mails sent to the lists during this time
should be queued and delivered when the system is back up.
The current Bro mailing lists will be renamed as follows:
bro(a)bro.org -> zeek(a)zeek.org
bro-dev(a)bro.org -> zeek-dev(a)zeek.org
bro-commits(a)bro.org -> zeek-commits(a)zeek.org
bro-announce(a)bro.org -> zeek-announce(a)zeek.org
Similarly we will change the mailing list subject tags from Bro to Zeek.
There will be redirects from the old mailing list names to the new ones,
so mails sent to the old addresses will not be lost.
Johanna
Hi all,
I would appreciate recommendations for a DB server that is most suited for
ingesting and digesting Bro logs.
I know of some use cases involving splunk and the Splunk Bro app, but price
and performance wise (10GBps incoming traffic) it does not seem to be the
best solution out there.
Does anyone have any experience with Bro and ElasticSearch | Redis | MySQL
?
I am looking into different solutions and would appreciate your thoughts.
Thanks in advance
B
Sam,
I'm not sure if you got what you were looking for or if this input of
mine will help, but I use the "worker" tag to help me identify which
interface the logged event was seen on. The events in the conn log show
the worker name for the event seen when logging. There is also a unique
number for each process so in the below node.cfg example the logs would
include a field that states "worker-1-1", "worker-1-2", "worker-2-1", or
"worker-2-2". When I see worker-1 in the log I know it was seen on eth1
and when I see worker-2 in the log I know it was seen on eth2.
Hope this helped.
Example node.cfg:
[manager]
type=manager
host=localhost
#
[proxy-1]
type=proxy
host=localhost
#
[worker-1]
lb_method=pf_ring
lb_procs=2
pin_cpus=0,1
type=worker
host=localhost
interface=eth1
#
[worker-2]
lb_method=pf_ring
lb_procs=2
pin_cpus=2,3
type=worker
host=localhost
interface=eth2
On 12/14/18 9:03 AM, bro-request(a)bro.org wrote:
> Send Bro mailing list submissions to
> bro(a)bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request(a)bro.org
>
> You can reach the person managing the list at
> bro-owner(a)bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: Bro logs - enable_local_logging and remove_default_filter
> (Johanna Amann)
> 2. Re: Stripping SSL on network level (Johanna Amann)
> 3. Re: Stripping SSL on network level (Micha? Purzy?ski)
> 4. Zeek monitoring (Micha? Purzy?ski)
> 5. Adding interface to bro logs (Samual Barker)
> 6. Re: Adding interface to bro logs (Eric Ooi)
>
>
> ------------------------------
>
> Message: 5
> Date: Fri, 14 Dec 2018 10:11:06 +0000
> From: Samual Barker <sbarker(a)nettitude.com>
> Subject: [Bro] Adding interface to bro logs
> To: "bro(a)bro.org" <bro(a)bro.org>
> Message-ID: <7b5c0455f98c426c8f1c01e5f6d6fedb(a)nettitude.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
>
> Does anyone know how to add the name of the interface Bro is listening on to the logs? I currently have a server listening on multiple interfaces and would be useful to have the interface logged so that I can retrieve the pcap for any event more easily
>
>
> Many thanks
>
> Sam
>
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero(a)cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290