zeek December 2018

zeek@lists.zeek.org

29 participants
23 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 days, 20 hours

DNS forwarding + weird.log

by Michael Alaly

Does anyone have a recommended way to handle a sensor that also runs a DNS resolver/forwarder? Since the requests "originate" at the sensor there is no other side of the traffic for Zeek to see. This generates a weird.log possible_split_routing entry for every forwarded DNS request. Is this generally avoided by moving DNS off the firewall/sensor, or are there other ways of handling this? Thanks, Michael

3 years, 1 month

files.log

by Alex Kefallonitis

Hi is there a way to exclude only application/pkix-cert from files.log ? Thanks in advanced

3 years, 1 month

Bro upgrades, and plugins vs. packages, and bro-pkg

by James Lay

So here we go. I've attacked this with my lab and here are some thoughts/results. Current state: bro-2.6 installed from source (config option --prefix=/opt/bro) bro-af_packet-plugin ja3 intel-seen-more domain-tld installed via bro-pkg after upgrading to bro-2.6.1 errors like the below: fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot load plugin library /opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: /opt/bro/lib/bro/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: undefined symbol: bro_version_2_6_plugin_6 next up, remove and reinstall bro-af_backup-plugin: root@# bro-pkg remove bro-af_packet-plugin The following packages will be REMOVED: bro/j-gras/bro-af_packet-plugin Proceed? [Y/n] y Removed "bro/j-gras/bro-af_packet-plugin" root@# bro-pkg install bro-af_packet-plugin The following packages will be INSTALLED: bro/j-gras/bro-af_packet-plugin (1.3.0) Proceed? [Y/n] y Running unit tests for "bro/j-gras/bro-af_packet-plugin" [ 0%] scripts.show-plugin ... failed % 'bro -NN Bro::AF_Packet > output' failed unexpectedly (exit code 1) % cat .stderr fatal error in /opt/bro/share/bro/base/init-bare.bro, line 1: cannot load plugin library /root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: /root/.bro-pkg/testing/bro-af_packet-plugin/plugins/packages/bro-af_packet-plugin//lib/Bro-AF_Packet.linux-x86_64.so: undefined symbol: bro_version_2_6_plugin_6 1 of 1 test failed error: bro/j-gras/bro-af_packet-plugin tests failed, inspect contents of /root/.bro-pkg/testing/bro-af_packet-plugin for details Proceed to install anyway? [N/y] n Abort. a thought occurs....modify /root/.bro-pkg/config -> bro_dist = /build/bro-2.6.1 all works. So long story short, the upgrade process going forward should be: ./configure, make, make install bro-pkg autoconfig bro-pkg refresh on from there. It might be worthwhile to annotate somewhere in the README or create an UPGRADE in the tarball to reflect that bro-pkg will need some attention as well during the upgrade process. Thank you! James

3 years, 1 month

Timetable for RPM release for 2.6.x

by Robert Cotter

Is there a timetable available yet for the release of RPM's zeek/bro's latest release via the repo ? Regards Robert Cotter Sales Engineer - APAC Region http://www.endace.com/

3 years, 1 month

[Bro] Bro 2.6.1 release

by Jon Siwek

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Bro v2.6.1 is available for download: https://www.zeek.org/download/index.html https://www.zeek.org/downloads/bro-2.6.1.tar.gz This release updates the embedded SQLite to version 3.26.0 to address the "Magellan" remote code execution vulnerability. The stock Bro configuration/scripts don't use SQLite by default, but custom user scripts/packages may. This release also updates Broker to v1.1.2, which includes a minor bug fix in its Python bindings and improved support for building it as a static library. -----BEGIN PGP SIGNATURE----- iQIcBAEBAgAGBQJcGowAAAoJEKfUHOR63zbz3EUP/iVCvDHFPwl/i8QQUQUTz7gQ bdyE95USUd4J7+tZEnd3f0yoqTDmFGxWfioLlr0U+Qpz7K8fgEb7lnSIin7O4vb+ nuPM3fRrl3uh8P0PjALWvmxqS7LQMiJOV72XCoBF/2illWny8G/57inkeaoqYeYl /bHMoS7xPb3BZVXjj/v2aLMXvyeDY9Xv3cqzmKEiKHAE09WxMUNFsWHQhyLqLunU 0bJqSRjQwy3nMDq9lUGUXdqXiVILufkVN7kXu8WgjTn2Cis1D8ZRDNhYSKW1PFQA kCKqxXjuBe97MAYlls/nv7IadivJx22h7A/sogjxJh7oTmjyDC4UKWnjH09zWjdh UYfS51D1bdDDv4yFLgCXGPkg02cUIRAO7w12XCfgTe1g0hoJOcl4faBWvNa3xBZV z5Qge+1mrW/k5MEtCSFnRPGvxD7SeZ7Dj+9PQcA9wY2iO6YNKQz7DYZjb8i6Gnaf L+4yO51B2qasUQICW0sZiYkg5LU847DyGrcfTE4z9ImlsSwpIxagbfG/3zxtIAow vpF5Su2g1/C9jXxJJovcthWf/HM3/VaBWwDpd8K7zmIssbMbd/apQvwitnMdM6y2 GJY9i7LPgSJTCkRyLrE1jvKBbuF3225VUfq1n4dwT6EByyJ9TxLgHfFA/gHYiG8Z skDvIlyix1XUZl5UpLLI =TFfn -----END PGP SIGNATURE-----

3 years, 1 month

[Bro] Zeek mailing list renaming and outage

by Johanna Amann

Hello everyone, As part of renaming Bro to Zeek, we are going to change the addresses and names of all our mailing lists. The important thing first: this change is going to happen tomorrow (Thursday), 12/20. The mailing list rename will happen during a system maintenance window at ICSI (which is hosting the mailing list). Thus the mailing lists (including the archives) will be unavailable for a few hours during the day on Thursday. Mails sent to the lists during this time should be queued and delivered when the system is back up. The current Bro mailing lists will be renamed as follows: bro(a)bro.org -> zeek(a)zeek.org bro-dev(a)bro.org -> zeek-dev(a)zeek.org bro-commits(a)bro.org -> zeek-commits(a)zeek.org bro-announce(a)bro.org -> zeek-announce(a)zeek.org Similarly we will change the mailing list subject tags from Bro to Zeek. There will be redirects from the old mailing list names to the new ones, so mails sent to the old addresses will not be lost. Johanna

3 years, 1 month

[Bro] Bro logs - enable_local_logging and remove_default_filter

by Hovsep Levi

Hi all, Can you please help to explain how to disable local logging ? I am using the KafkaWriter Bro plugin for many years now without a problem but after an upgrade to Bro 2.6 there is a problem. The logs that are excluded from sending to Kafka are the logs that are being written to disk. In Bro config language that means the logs that are not explicitly defined in KafkaLogger::logs_to_send. Example from local.bro for KafkaLogger: redef KafkaLogger::logs_to_send( CaptureLoss::LOG, etc... ) Historically I modify the KafkaLogger plugin slightly to support disabling the writing of logs to disk by adding a function call to "Log::remove_default_filter" for each log. With Bro 2.6 this no longer seems to work the way it once did. So I check the documentation at https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.html and see remove_default_filter still exists and also notice two variables that might be relevant to my issue. Log::enable_local_logging <https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.htm…>: bool <https://www.bro.org/sphinx-git/script-reference/types.html#type-bool> &redef <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&redef> If true, local logging is by default enabled for all filters. Log::enable_remote_logging <https://www.bro.org/sphinx-git/scripts/base/frameworks/logging/main.bro.htm…>: bool <https://www.bro.org/sphinx-git/script-reference/types.html#type-bool> &redef <https://www.bro.org/sphinx-git/script-reference/attributes.html#attr-&redef> If true, remote logging is by default enabled for all filters. But when I try to set Log::enable_local_logging=0 within the KafkaLogger plugin loop for each log I get an error. Thanks in advance. -Hovsep

3 years, 1 month

[Bro] BPF Syntax/Runtime Problem

by Andy Millett

3 years, 1 month

[Bro] - recommended DB for Bro logs

by william de ping

Hi all, I would appreciate recommendations for a DB server that is most suited for ingesting and digesting Bro logs. I know of some use cases involving splunk and the Splunk Bro app, but price and performance wise (10GBps incoming traffic) it does not seem to be the best solution out there. Does anyone have any experience with Bro and ElasticSearch | Redis | MySQL ? I am looking into different solutions and would appreciate your thoughts. Thanks in advance B

3 years, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek December 2018