zeek May 2018

zeek@lists.zeek.org

47 participants
52 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 days, 20 hours

[Bro] BroCon 2018: Registration is open

by Robin Sommer

Dear Bro Community, We're excited to announce that registration for BroCon 2018 is now open at https://www.brocon2018.com . BroCon 2018 will take place October 10-12, in Arlington, VA. It offers the Bro community a chance to meet face-to-face, share new ideas and developments, and better understand and secure their networks. The conference is composed of presentations from members of the community and the Bro development team. We'll post the Call for Presentations shortly. If your organization is interested in supporting BroCon, please check out the sponsorship opportunities. Robin -- Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin

3 years, 6 months

[Bro] An assist with Splunk addon

by James Lay

All, So I've been dabbling with Splunk, Bro, and the Corelight apps. I setup a listener, installed the App on the Splunk server, and installed the Universal Forwarder (just trying it out; I know I can just use rsyslog/syslog-ng) on the machine that's running bro, pointed the Universal Forwarder to a listener, and install the TA addon on the machine running bro and the Universal Forwarder. Alas, my output is...unexpected: Anyone have any hints on what the issue might be? Thank you. James

3 years, 7 months

[Bro] bro cluster in containers

by Poore, Jeffrey S

Has anyone implemented a bro cluster in containers? The reason I ask is that we are looking to build a cluster on top of Mesos / DC/OS so that we can have high availability as we are processing tons of traffic, and it is just easier to deploy things on top of it if we do it in containers. I understand how to do most of it, but the configuration so that the cluster master knows about all the other instances is kind of my sticking point. Is there a way to utilize a tool like zookeeper so that it can dynamically manage the instances in case one of them crashes and then gets spun up on a different host? ---------------------------------------------------------------------- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.

3 years, 7 months

[Bro] Best Way to Dynamically Update Signatures?

by Michael Kortekaas

Bro Community, I currently have a Bro script that downloads and dynamically updates Intel data from a central source. It is a scheduled event running in Bro so it doesn't require a check/restart. I need to create a similar type mechanism for signatures but the only documentation I can find seems to indicate that I need to use @load-sigs and have a file available at startup. However I do need the ability to update signatures on a fairly frequent basis. Although I opted not to use Intel data files which have the feature of reloading when modified, I am wondering if a similar feature exists for .sig files. Signatures appear to be the type of data that would be stored in a data structure rather than compiled as code. Is there a corresponding API for accessing (add, update, remove) the signature data from a Bro script? Another potential is to write a Python script to update the signature file and have it trigger a reload of Bro. Rather than forcing Bro to shut down and restart for a signature file update at an arbitrary time that could interfere with normal processing, is there a regular event/operation where this reload could/should be triggered for minimal impact? Or, is there another mechanism for signature updates that I have not yet considered? Any related issues or considerations regarding Bro clusters would be useful to know as well. Any help or insight into how best to dynamically update signatures would be much appreciated. Regards, Michael Kortekaas

3 years, 8 months

[Bro] File Extraction Gaps

by Weasel, Gary W Jr CIV DISA RE (US)

Hey Bro List, So I seem to be running into a problem with file extraction (or perhaps just file analysis in general). I have a basic extraction script running pulling out EXEs that are seen coming across HTTP and for some reason, there are consistently a large number of file gaps in the file it sees. I have a custom log outputting the fuid for any file_gap event (https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html#id-file_gap), and I seem to get a wildly varying number of file gap events for a given file. In my example, I am curling an exe to a server, where that traffic is spanned to my Bro sensor (the exe in question is 1 MB in size). If I curl repeatedly, Bro sees all the files, but the number of file gap events varies wildly (anywhere from 2 or 3 to over 100). The part that gets me, if I tcpdump alongside Bro, and pull the files out of pcap, they're all intact and hash correctly, so I know I'm getting all the packets on wire. Bro and PF_RING report 0 packet loss. Does anyone have anything that could shed light on what's going on here? Thanks, - Gary

3 years, 8 months

[Bro] Myricom SNFv3 and CentOS 7.5

by Chris Herdt

A heads-up for other Myricom SNFv3 users: I recently updated a couple of dev hosts to CentOS 7.5 and found that the Myricom SNFv3 drivers (I'm using 3.0.13) no longer load and fail to rebuild. I've contacted CSPi support and they are looking into it. -- Chris Herdt University of Minnesota cherdt(a)umn.edu

3 years, 8 months

[Bro] issues with binpac and bro 253

by erik clark

{"ts":1526476092.155226,"uid":"CLBfQGYsYuPPYghW6","id.orig_h":"10.171.248.5","id.orig_p":59860,"id.resp_h":"10.171.3.35","id.resp_p":5901,"proto":"tcp","analyzer":"RFB","failure_reason":"Binpac exception: binpac exception: out_of_bound: RFBVNCAuthenticationResponse:response: 16 > 4"} {"ts":1526902777.802284,"uid":"CRbgOr2vlXZquGHbC4","id.orig_h":"10.171.253.5","id.orig_p":51389,"id.resp_h":"209.208.26.64","id.resp_p":1883,"proto":"tcp","analyzer":"MQTT","failure_reason":"Binpac exception: binpac exception: out_of_bound: MQTT_string:str: 258 > 2"} {"ts":1526385277.166233,"uid":"Cp5ewt2gFK34Hk2vSg","id.orig_h":"128.154.164.150","id.orig_p":59357,"id.resp_h":"10.171.253.18","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT: -82 > 30"} {"ts":1526385276.305273,"uid":"CEv2fC11PlksxaS5Tf","id.orig_h":"128.154.164.150","id.orig_p":59356,"id.resp_h":"10.171.253.15","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT:cookie: 16 > 4"} {"ts":1526385714.957199,"uid":"CKBKhA2vqPokc34a43","id.orig_h":"128.154.164.150","id.orig_p":59463,"id.resp_h":"10.171.253.6","id.resp_p":22,"proto":"tcp","analyzer":"SSH","failure_reason":"Binpac exception: binpac exception: out_of_bound: SSH2_KEXINIT: -154 > 30"} The ssh analyzer and rfb analyzer are both throwing binpac exceptions; Also, so is the newly converted MQTT plugin that Seth built. Why are these failing? I do not have pcap. I would like to know why the ssh analyzer specifically would be failing. This is a new install of bro and we do not have an old version on this network to compare dpd logs on. Thanks!

3 years, 8 months

[Bro] Bro Blog: Broker is Coming -- Persistent Stores

by Dopheide, Jeannette M

Hi All, We have a new blog post about Broker we'd like to share. It's written by guest blogger Mike Dopheide, thanks Dop! You can find it here: http://blog.bro.org/2018/05/broker-is-coming-persistent-stores.html ------ Jeannette M. Dopheide Sr. Education, Outreach and Training Coordinator National Center for Supercomputing Applications University of Illinois at Urbana-Champaign

3 years, 8 months

Re: [Bro] bro not alert nessus attack

by fatema bannatwala

Hi Bz Oz, It depends on what you are testing with nessus and how are you testing it. Bro should be able to detect scanning, ssh-bruteforce, sql injection, htp-bruteforce etc. by default. Hence, if you are scanning the systems from your nessus machine, and if Bro is able to sniff that traffic, then scanning get reported in notice.log file. It might not able to detect all the attacks that you launch from nessus, unless you have custom scripts/plugins installed in Bro. Fatema.

3 years, 8 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek May 2018