zeek July 2018

zeek@lists.zeek.org

26 participants
20 discussions

[Bro] Bro with PF_RING receive repeating data packets

by Bowen Li

Hi all, Recently I have some problems with Bro and PF_RING in cluster. On my server, when I have less than 32 worker threads(rings), everything is okay, but when I use worker threads more than 32, pf_ring start to receive repeating data packets. For example, rings less than 32, I send 400000 packets to server and pf_ring info in /proc shows there is 400000 packets in rings, but when rings greater than 32, I can get 800000 packets when 33 rings and 1200000 packets when 34 rings and so on. I guess if there is some rules that a pf_ring or a bro cluster can only support less than 32 rings or worker threads on a server or some other reasons? Any insight would be helpful.

3 months, 3 weeks

[Bro] CoAP

by erik clark

Does anyone know if there is a Bro plugin for CoAP traffic detection and identification? We have the MQTT plugin for IoT bits, but we would like to support CoAP as well. Thanks!

3 years, 9 months

[Bro] Query

by Devansh Dubey

Hi ,I am Devansh Dubey from INDIA. I am having a doubt that can bro communicate with beats.I hope that you will reply me as soon as possible.

3 years, 9 months

[Bro] Fwd: [Contact ICSI] ICSI Notary down?

by Peter Hallin

Dear Bro, Do you have any info regarding notary.icsi.berkeley.edu<http://notary.icsi.berkeley.edu>? It doesn’t resolve anymore. Thanks, Peter Hallin Lund University IRT Vidarebefordrat brev: Från: Travis Caskey <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>> Datum: 26 juli 2018 19:56:00 CEST Till: <peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>>, <frontdesk(a)ICSI.Berkeley.EDU<mailto:frontdesk@ICSI.Berkeley.EDU>> Ämne: Re: [Contact ICSI] ICSI Notary down? Svara till: <tjcaskey(a)icsi.berkeley.edu<mailto:tjcaskey@icsi.berkeley.edu>> Peter, I would recommend that you send note of this problem to bro(a)bro.org<mailto:bro@bro.org>, where I believe they can be of further assistance. Travis On 7/26/2018 1:27 AM, peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se> wrote: Peter Hallin (peter.hallin(a)ldc.lu.se<mailto:peter.hallin@ldc.lu.se>) sent a message using the contact form at https://www.icsi.berkeley.edu/icsi/contact. Hello, We are using the SSL certificate notary with our Bro installation, but now it seems down. The website is also unavailabe. Just wanted to check if this is temporary or if the service has been retired. Thanks, Peter Hallin Lund University IRT

3 years, 10 months

[Bro] Missing or "localhost" host field in bro http logs

by Federico Foschini

Hello, I notice that sometimes the field host in a bro-http log is missing or contains localhost as a value. How is that possible? This is an example of a log witth localhost as host: http.11:00:00-12:00:00.bak.gz:{"ts":"2018-07-25T11:39:09.440378Z","uid":"CZDkyn2xwPRU17Qm9g","id_orig_h":"198.134.154.227","id_orig_p":49558,"id_resp_h":"192.168.237.29","id_resp_p":8081,"trans_depth":3,"method":"GET","host":"localhost","uri":"/ospos/index.php/login","version":"1.1","user_agent":"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0","request_body_len":0,"response_body_len":0,"status_code":500,"status_msg":"Internal Server Error","tags":[]} In this one the host is missing: http.12:00:00-13:00:00.bak.gz:{"ts":"2018-07-25T12:09:31.955600Z","uid":"CERXcsevwbBQrqWDf","id_orig_h":"192.168.235.47","id_orig_p":57326,"id_resp_h":"192.168.50.201","id_resp_p":80,"trans_depth":2,"request_body_len":0,"response_body_len":0,"tags":[]} Is that a normal behavior? Thanks -- Federico Foschini.

3 years, 10 months

[Bro] BroCon 2018: Registration is open

by Robin Sommer

Dear Bro Community, We're excited to announce that registration for BroCon 2018 is now open at https://www.brocon2018.com . BroCon 2018 will take place October 10-12, in Arlington, VA. It offers the Bro community a chance to meet face-to-face, share new ideas and developments, and better understand and secure their networks. The conference is composed of presentations from members of the community and the Bro development team. We'll post the Call for Presentations shortly. If your organization is interested in supporting BroCon, please check out the sponsorship opportunities. Robin -- Robin Sommer * ICSI/LBNL * robin(a)icir.org * www.icir.org/robin

3 years, 10 months

[Bro] Bro/ELK or SecurityOnion

by Antonis Kalkanof

Content Removed

3 years, 10 months

[Bro] Bro Workshop Europe - Registration open

by Johanna Amann

Hi, the registration for the Bro Workshop Europe (September 18th/19th, @KIT, Karlsruhe, Germany) is now open. To register, please visit https://dsn.tm.kit.edu/english/bro_workshop_europe.php (this is also linked from https://bro.org). The workshop is a one-day event split in two half-days to allow easy traveling for participants in Europe: the program will start at with lunch on Tuesday and end after lunch on Wednesday. The program will consist of talks by the Bro development team and external contributors. A large part of the development team will be attending the workshop. I will send another email once a more detailed program is available. If you are interested in giving a talk at the Workshop, please send an email to info(a)bro.org. Johanna

3 years, 10 months

[Bro] BroCon2018 Sponsorship Openings

by Keith Lehigh

Greetings, As the date for Brocon2018 approaches, I wanted to note that we still have sponsorship opportunities available. You can find a sponsorship prospectus with details and contact information on the BroCon2018 Sponsorship page. [1] Thanks! - Keith [1] https://www.brocon2018.com/event/sponsors

3 years, 10 months

[Bro] RPM package creation results in unlinked libraries when installed

by bkeep

Hi, I am trying to create an rpm package to easily distribute a package to other sensors but seem to be doing something wrong when building the package. The package builds okay but when installed, I end up with an error, which is "bro: error while loading shared libraries: libbroker.so.0: cannot open shared object file: No such file or directory." Running ldd, shows "not found" but on a working instance, the path is populated (/opt/bro/lib/libbroker.so.0). I also double checked that the file exists on the file system and it's there. I can launch broctl and run a few commands but when I do "deploy," I get the above error. On the build system, I have installed the prerequisite software using yum. yum install cmake make gcc gcc-c++ flex bison libpcap-devel openssl-devel python-devel swig zlib-devel rpm-build Also installed pf_ring from an rpm using the ntop.org repo. The process I followed for building the package was: git clone --recursive https://github.com/bro/bro.git cd bro LDFLAGS="-lpfring -lpcap" ./configure --prefix=/opt/bro --with-pcap=/usr/local/ --pkg-name-prefix=Bro --binary-package cd build make package scp the file to the intended sensor yum localinstall Bro-2.5-725-Linux-x86_64.rpm The [root@bro00 ~]# ldd /opt/bro/bin/bro |grep libbroker libbroker.so.0 => not found Both the build machine and the intended install target are setup the same. They are Centos 7.5.1804 (Core) VM's running on VMware 6.5 with kernel 3.10.0-862.6.3.el7.x86_64. Compiling BRO from source but leaving off the --binary-package flags resulted in a working install on the build machine as well using make && make install. I am not sure what piece I am missing here so any advice would be appreciated. Regards, Brandon

3 years, 10 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

zeek July 2018