zeek June 2018

zeek@lists.zeek.org

45 participants
40 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

5 months

[Bro] BroCon 2018: Registration is open

by Robin Sommer

Dear Bro Community, We're excited to announce that registration for BroCon 2018 is now open at https://www.brocon2018.com . BroCon 2018 will take place October 10-12, in Arlington, VA. It offers the Bro community a chance to meet face-to-face, share new ideas and developments, and better understand and secure their networks. The conference is composed of presentations from members of the community and the Bro development team. We'll post the Call for Presentations shortly. If your organization is interested in supporting BroCon, please check out the sponsorship opportunities. Robin -- Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin

3 years, 11 months

[Bro] BroCon 2018 Call for Presentations

by Keith Lehigh

BroCon 2018 is accepting presentation proposals. We are looking for talks to represent the many applications of Bro. Suitable topics include, but are not limited to: * as a tool for solving problems; * interesting user stories, solutions, or research projects; * a postmortem analysis of a security incident, emphasizing Bro’s contribution; * the value Bro brings to your professional work; * and, using Bro for more than intrusion detection. * Please, no product presentations Criteria for evaluating proposals include whether the topic is applicable to multiple types of organizations, gives people ideas to take home and use, can be understood by a broad audience, or is novel to many in the audience. Scrolling through our YouTube Channel may provide some insight into the types of presentations we wish to feature. Plan on limiting your talk to 30-35 minutes with an additional 10 minutes for questions/comments. Send abstracts (max 500 words) to: info(a)bro.org Subject: BroCon 2018 Call for Presentations Submission due date: Friday, July 13th Target date for announcing speakers: Friday, July 27th CFPs are selected by the Bro Leadership Team: Johanna Amann, ICSI / Corelight / LBNL Seth Hall, Corelight Keith Lehigh, Indiana University Vern Paxson, Corelight / ICSI / UC Berkeley Michal Purzynski, Mozilla Foundation Aashish Sharma, Lawrence Berkeley Lab Adam Slagell, National Center for Supercomputing Applications Robin Sommer, Corelight / ICSI / LBNL Jan Grashöfer, Karlsruhe Institute of Technology (KIT) - Keith Lehigh Technical Program Chair BroCon 2018

3 years, 11 months

[Bro] Bro and systemd without broctl

by James Lay

Hey all, So...I run a very lean box, and that means not using broctl. With older versions of linux rc.local was just fine to get a script to start bro, but with systemd it's not the same. My startup script is similar to the below: cd /opt/bro/spool/bro && /opt/bro/bin/bro -C -i eth0 -i eth1 --filter 'long filter option here' local "Site::local_nets += { externalIP,internatNET }" & This has worked like a champ but this command in a .service file or the .service file pointing to a script that contains the above does not work. So I have a couple points/questions: 1. Has anyone worked out a systemd .service file with bro that doesn't use broctl? 2. It would be nice to have a command line flag that can be used to specify the log path, this way I could forgo the cd command above. Thank you. James

3 years, 11 months

[Bro] configure sshd port for bro nodes in cluster mode

by OpenShift Ninja

Is it possible to easily configure Bro in cluster mode to connect on alternate ports other than 22? The reason I ask is that I'm running my bro processes inside containers on a host that already has sshd on port 22 (I'm running a sidecar sshd inside the container on port 2022). I can probably find it if I dig around, but if someone knows how to do this, let me know.

3 years, 12 months

[Bro] Overwriting logs

by john Y

Hello all! Need advice about a problem i have: I am initiating many bro command on dynamically incoming pcaps, such as: "bro -r some_file_name". On every run, logs are created in the same directory, but the next run rewrite those logs. How can bro create logs with uniqe log name foreach run? Also tried to add timestamp to the log name but did not find how to get current time. Love for your help, John

3 years, 12 months

[Bro] Bro plugins: Any best practices for the number of plugins on an instance?

by John Peters

I'm curious if there is a rough estimate or best practice for the amount of plugins that a bro instance can run without affecting performance? I have about 5 running so far on a couple instances and all seems good, but not sure if there's a limit to the number bro can run, if it doesn't matter, etc. Thanks in advance.

3 years, 12 months

[Bro] Different Connection UID when using different modus

by DW

Hi there, I wrote a little script to keep track of some values send between to two PLCs, measuring the pressure of a compressor. To test it, I recorded the data traffic between those PLCs with wireshark. However, I noticed that if I run Bro as command-line-utility, all packets belong to the same Connection UID (which is right, it's one single TCP connection), like this: 1524935590.861128 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 3.028429 1524935592.240910 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.936921 1524935593.510075 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.855541 1524935594.644501 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.78682 1524935595.890453 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Abfall 2.762949 1524935597.034076 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.765842 1524935598.310198 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.772352 1524935599.455176 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.777778 1524935600.715050 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.783203 1524935601.858465 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.78899 1524935603.105988 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.794777 1524935604.263663 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.798756 If I replay the pcap with tcpreplay and use Bro with BroCtl, the connection UID changes every 4 to 5 packets: 1530283326.472442 C0RGCfPjoO1qjgaB3 192.168.0.2 49153 192.168.0.20 102 Abfall 3.028429 1530283327.851737 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.936921 1530283329.200584 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.855541 1530283330.327749 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.78682 1530283331.575829 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Abfall 2.762949 1530283332.723797 ClqAHP3vbrPywNYyBl 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.765842 1530283333.995711 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.772352 1530283335.139726 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.777778 1530283336.399753 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.783203 1530283337.547808 CHT44c1znQoXygQZFh 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.78899 1530283338.791763 CoRELlzadjrZDCds2 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.794777 1530283339.947775 CoRELlzadjrZDCds2 192.168.0.2 49153 192.168.0.20 102 Anstieg 2.798756 Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro? Thanks! Dane

3 years, 12 months

[Bro] local_orig , local_resp field implementation error

by ps sunu

In conn.log local_orig , local_resp fields implemented like below so i done same implementation in files.log and ssl.log , but i am facing one problem ,ssl log says local_orig is true but files log says local_orig is false conn.log if( |Site::local_nets| > 0 ) { c$conn$local_orig=Site::is_local_addr(c$id$orig_h); c$conn$local_resp=Site::is_local_addr(c$id$resp_h); } ssl.log if( |Site::local_nets| > 0 ) { c$ssl$local_orig=Site::is_local_addr(c$id$orig_h); c$ssl$local_resp=Site::is_local_addr(c$id$resp_h); } files.log if( |Site::local_nets| > 0 ) { f$info$local_orig=Site::is_local_addr(c$id$orig_h); f$info$local_resp=Site::is_local_addr(c$id$resp_h); } Regards, Sunu

3 years, 12 months

[Bro] Bro detecting malicious smtp

by Monah Baki

Hi All, We received a phishing email to our CEO (See below). The link if you run against virustotal is flagged as malicious/phishing. Is there a way to utilize Bro to automate checking against virustotal, is there any limit as to how many emails with links you can check against virustotal, if there are better solutions? *From:* E-ḟax Online <712-559-2211> @electronic ḟax transmission@Donotreply <bison(a)bigrunlf.com> *Sent:* Tuesday, June 26, 2018 12:01 PM *Subject:* Delivery-Scanned- 32234 Hello, You have a new fax from eFax with a page count of 3 Date Received: *2018-06-22 09:07:26 EDT* Type: *Attached in pdf* Number of pages: *3* Reference #: chd_pgf4-1509631610-13058327707-63 View Scanned Document-41223 <https://wecdit.com/Silent%22%3A%3F%3E%3CSilent%22%3A%3F%3E%3CSilent%22%3A%3…> Yours, Fax System

4 years

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek June 2018